Lincare Holdings Inc., one company supplying home respiratory therapy products, had a breach of employee personal data in February 2017. According to the report, an HR department employee emailed the W2 forms of thousands of employees to a fraudster because he was tricked by a business email compromise (BEC) scam. No health data was included in the sent information, but the fraudster got his hands on names, addresses, employees’ earnings details and Social Security numbers.
There has been an increase in W2 phishing scams this year. Most scammers targeted healthcare organizations and schools. The scammer usually request copies of W2 forms from HR employees using a compromised company email account or a spoofed company email address. Most cyberattacks involving healthcare data result in class action lawsuits. But it is rare for employees to file lawsuits against their employers. Three Lincare employees whose PII were exposed took legal action on the company for failing to protect their data.
The plaintiffs claim that Lincare failed to implement the required safeguards and precautions to avoid phishing scams. The employer should have trained its employees in phishing scam identification and W2 forms request validation. It’s not correct to just attach W2 forms in reply to an email. Lincare should have implemented security measures such as advanced spam filters, multiple layers of computer system, limited employees’ access to PII and sending of encrypted PII.
The plaintiffs are seeking damages for their PII exposure and they want free identity theft protection services, credit monitoring and identity theft insurance for 25 years. Lincare only previously offered them credit monitoring and identity theft protections services for 24 months.
The lawsuit pointed out that the attacker already used the stolen data to get federal student loans through the Department of Education’s Free Application for Federal Student Aid. The notification email sent out by Lincare to employees affected by the data breach mentioned the reported fraud. Now, it is up to the courts to decide how much liability should Lincare answer for.