Employees Sue Home Health Provider After Phishing Breach
Employees Sue Home Health Provider After Phishing Breach
A class action lawsuit claims that thousands of employees of a home healthcare services firm were harmed by the disclosure of their personal information in a breach earlier this year involving a business email compromise scam. Earlier, regulators fined the company for another breach.
Three former employees of Clearwater, Fla.-based Lincare Holdings Inc., a provider of in-home respiratory care and medical equipment, filed the lawsuit Monday in U.S. district court.
The suit alleges negligence and other charges related to a data breach resulting from a Lincare human resources worker in February 2017 falling for a phishing scam involving a fake email pretending to be from a Lincare executive that requested W-2 tax form information about company employees.
The lawsuit alleges that the Lincare HR employee, "rather than confirming or authenticatingthe validity of the request, compiled the requested information and complied with the request by emailing the name, address, Social Security number, earnings information and more of current and former Lincare employees to the purported Lincare executive."
Lincare, which has about 14,000 employees in about 1,000 locations nationwide, didn't have "the most basic security," resulting in negligence, breach of fiduciary duty, breach of implied contract, and violation of the Florida Deceptive and Unfair Trade Practices Act, the suit alleges.
Plaintiffs are seeking damages as well as at least 25 years of free credit and identity monitoring.
Previous Lincare Case
The complaint also points out that the incident at the center of the suit isn't Lincare's first data breach.
In January 2016, the Department of Health and Human Services' Office for Civil Rights, imposed a $240,000 civil monetary penalty for Lincare's alleged failure to implement policies and procedures to safeguard records containing its patients' protected health information as required by HIPAA (see OCR Slaps Home Health Provider With Penalty).
In that previous incident, OCR's investigation found that a Lincare employee in December 2008 left behind documents containing the PHI of 278 patients after moving to a new residence.
That Lincare case was only the second time ever that OCR imposed a civil monetary penalty in a case involving "egregious violations" of HIPAA.
Comments
Post a Comment