In February 2017, Lincare Holdings Inc., a supplier of home respiratory therapy products, experienced a breach of sensitive employee data.
The breach involved the exposure of thousands of W2 forms employees by an unauthorised individual. The files were exposed when a phisher emailed the company requesting the forms. The HR department business email compromise (BEC) scam fooled an employee of the human resources department into sending them on. Names, addresses, Social Security numbers, and details of employees’ earnings were obtained by the attacker. No private health information was shared with the phisher.
This attack is one in a number of recent W2 phishing scams. In particular, healthcare organizations and schools are highly targeted by phishers. The scam involves the attacker using spoofed company email address-or, in some cases, a real email address which has been compromised by the hacker-to request copies of W2 forms from HR department employees. The email seems completely legitimate and authentic, and many employees are fooled into sharing the data with the fraudster, which they then use for personal gain.
Cyberattacks that result in the sensitive data of patients and consumers being exposed often results in class action lawsuits. This instance is particularly unusual, as it would require employees to take action against their employer. Lincare has become one of growing number of companies facing lawsuits for failing to protect their employee’s sensitive data.
Three former Lincare employees whose PII was disclosed in February have been named in a class-action lawsuit against the firm. The plaintiffs are seeking damages for the exposure of their PII, credit monitoring and identity theft protection services for 25 years, and 25 years of coverage by an identity theft insurance policy. This is a huge increase from the 24 months of complimentary credit monitoring and identity theft protection originally offered by Lincare previously offered to employees affected by the breach.
The plaintiffs claim Lincare was negligent for failing to implement “the most basic of safeguards and precautions,” such as training its employees how to identify phishing scams. The plaintiffs allege the HR employee failed to authenticate the validity of the request for W2 forms, instead just attaching the information and replying to the email. This indicated that the employee had not been adequately trained in even the most basic of anti-phishing awareness techniques, which was a failing of Lincare.
In the lawsuit, the plaintiffs argue that had simple security measures been adopted by Lincare the breach could have been easily prevented. Those measures include the use of advanced spam filters, providing information security training to staff, implementing data security controls that prohibit employees having on-demand access to PII, adding multiple layers of computer system security and authentication, and ensuring PII was only sent in encrypted form.
Some employees are already feeling the effects of having their PII stolen. The attacker has already used the stolen data to apply for credit and loans. The lawsuit points out that Lincare sent an email to staff on April 21 saying, “Current and/or former employees affected by the data breach had already had their PII used by a third party or parties as part of a fraudulent scheme to obtain federal student loans through the Department of Education’s Free Application for Federal Student Aid.”
It is yet to be determined if Lincare is liable for the attack. The courts will need to determine whether additional safeguards should have implemented to prevent such a breach from occuring, and whether there was an implied agreement that the company would keep employee information secure.