Workers Prosecute Lincare Over W2 Phishing Attack

During February 2017, Lincare Holdings Inc., a provider of home respirational treatment products, experienced a breach of confidential worker information.

The W2 papers of thousands of workers were sent by e-mail to a swindler by a worker of the human resources division. The HR department worker was deceived by a business email compromise (BEC) cheat. Although health data wasn’t revealed, names, Social Security numbers, addresses, as well as particulars of workers’ remunerations were obtained by the assailant.

This year has seen a rise in W2 phishing cheats, with schools and healthcare companies extensively aimed by cheaters. The cheat involves the assailant utilizing an undermined company electronic mail account – or a tricked company electronic mail address – to demand copies of W2 papers from HR division workers.

Cyberattacks that lead to the confidential data of consumers and patients being revealed often leads to class action charges, even though it’s relatively unusual for workers to take legal action versus their companies. Lincare is among few organizations to confront a charge for failing to safeguard worker data.

Three ex Lincare workers whose PII was revealed in February have been called in a class-action charge against the company. The accusers are looking for harms for the revelation of their PII, credit checking and identity thievery safety facilities for 25 years, as well as 25 years of insurance coverage by an identity thievery insurance plan. Lincare earlier offered 24 months of free credit checking and identity thievery protection facilities to workers impacted by the event.

The accusers claim Lincare was careless for not implementing “the most elementary of precautions and safeguards,” like training its workers how to detect phishing cheats. The accusers allege the HR worker failed to validate the legitimacy of the demand for W2 papers, in its place simply attaching the data and responding to the electronic mail.

In the charge, the accusers contend that had easy safety measures been implemented by Lincare the breach might have been easily avoided. Those measures contain the usage of sophisticated junk filters, providing information safety training to staff, applying data safety controls that forbid workers having on-demand entrance to PII, adding several strata of computer system safety and validation, and making certain PII was only dispatched in encrypted type.

The danger of the PII being utilized to carry out fraud isn’t hypothetical. The assailant has already utilized the thieved data to apply for loans and credit. The charge points out that Lincare transmitted an electronic mail to workforce on April 21 stating, “Existing and/or ex-employees impacted by the data breach had already had their PII utilized by a third-party or parties as portion of a fake scheme to get federal student loans via the Division of Education’s Open Application for National Student Help.”

The query that the courts will require to responding is to what level Lincare is responsible for the attack, whether extra protections must have applied and whether there was an indirect contract that the organization would keep worker information safe.