[BreachExchange] Former employees sue respiratory therapy supplier Lincare over February data breach

Fri Oct 20 15:15:45 EDT 2017

http://www.fiercehealthcare.com/privacy-security/lincare-
class-action-lawsuit-data-breach-legal-ocr-fine-phishing-scam

The nation’s largest supplier of home respiratory-therapy products, which
was previously fined for violating HIPAA, is now being sued by a group of
former employees, who say the company failed to implement “the most basic
security safeguards” which led to a breach of their personal data.

The breach, which does not involve health information, occurred in February
when a human resources employee was victimized by a phishing email in which
the sender claimed to be a Lincare executive asking for W-2s for employees
at the company. The lawsuit, filed in the Middle District of Florida,
alleges the company didn’t do enough to protect employee information or
train employees to recognize targeted email scams.

Phishing scams involving W-2s and employee records are commonplace,
particularly during tax season. Over the past several years, both the FBI
and the IRS issued warnings about email fraud schemes directed towards
businesses.

Lincare provides respiratory therapy equipment for in-home use, typically
for customers suffering from chronic obstructive pulmonary disease.
Headquartered Florida, Lincare operates more than 1,000 locations across
the country with more than 14,000 employees.

Although the company provided credit monitoring after the breach, the group
of former employees argues it was a “minor half-measure that did not
safeguard and protect the already released” information. The employees also
claimed Lincare “squarely placed the burden” on employees to mitigate the
damages of the breach.

In addition to relief for damages, the plaintiffs requested Lincare provide
employees at least 25 years of bank monitoring, credit restoration services
and identity-theft insurance.

A Lincare spokesperson declined to comment on the lawsuit.

It’s not the first time Lincare’s cybersecurity practices have been
questioned. In 2016, the Office for Civil Rights fined the company nearly
$240,000 failure to implement written policies and procedures to protect
patient information that was taken off-site.

However, recent legal cases have raised questions about an employer’s duty
to protect employee information. A lawsuit against the University of
Pittsburgh Medical Center following a data breach that exposed personal
information of nearly 62,000 employees is scheduled to go before the state
Supreme Court after the Superior Court ruled there was no implied agreement
for UPMC to keep employee information safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171020/d6f46dfb/attachment.html>