Lincare Holdings Inc, the US’s largest provider of home respiratory supplies, has agreed to pay $875,000 to settle a class-action lawsuit from employees over a data breach which occurred in February 2017.
The breach occurred as a result of a “CEO Fraud” scam in which a cybercriminal, posing as a high-level executive at the company, requested W-2 data for employees from a member of the HR team. The HR staff member did as requested, thus compromising the data.
Following the breach, Lincare notified impacted employees and offered them two years of complimentary credit monitoring, remediation services, and identity theft insurance. However, the employees who went on to file a litigation against this company described the move as a “minor half-measure that did not safeguard and protect the [information] already released.”
The litigation, filed in October, asserted claims against Lincare for alleged negligence, breach of fiduciary duty, breach of implied contract, and violation of Florida’s Deceptive and Unfair Trade Practices Act.
The settlement (pdf) breaks the $875,000 sum into two separate funds: $550,000 (up to $1,000 per individual) to compensate class members suffering an out-of-pocket loss not covered by the credit and identity monitoring protection offered by Lincare, and $325,000 for members who had experienced an ‘eligible incident’ (up to $500 per incident, and a limitation of 2 incidents per claimant). ‘Eligible incidents’ cover the use of the breached information for fraudulent tax returns, the opening of false credit lines, and similar incidents.
The settlement also included provisions for Lincare to provide a further two years of credit and identity monitoring and protection services to impacted employees following the expiry of the initial service offered in 2017.
The company has also formally agreed to carry out ‘enhanced data security measures’ for at least the next two years, including measures such as ensuring that the Head of IT is responsible for cybersecurity and has received appropriate training, maintaining a spam filter, and providing employees with annual training on privacy awareness, information security, and phishing.
As part of the settlement, Lincare did not admit to any wrongdoing.
Though this breach was in relation to employee rather than patient records, Lincare had previously been fined $239,800 by OCR for HIPAA violations which exposed the personal information of at least 278 patients.
This incident is just one of many involving the healthcare sector. According to Verizon’s 2018 Data Breach Investigation Report, healthcare sector organisations are the most common victims of a data breach, accounting for 24% of all incidents. The report also noted that this was the only sector in which internal actors were culpable more often than external.