Medical provider Lincare will pay $875,000 to settle a lawsuit filed by employees whose information may have been exposed in a “phishing attack”, the portal HME News reports.
The lawsuit stems from an incident on Feb. 3, 2017, when a cyber-criminal posing as a high-level Lincare executive emailed a Lincare human resources employee and requested W-2 information for all employees. The HR employee responded with attached W-2 data for a certain number of employees of Lincare and its affiliates.
On Feb. 10, 2017, Lincare sent notice of the “phishing attack” to all impacted current and former Lincare employees, notifying them that their personally identifiable information may have been compromised. The company offered two years of complimentary credit monitoring, remediation services and identity theft insurance.
On Oct. 16, 2017, however, Andrew Giancola, Raymond Scott and Patricia Smith filed the lawsuit, alleging negligence, breach of fiduciary duty, breach of implied contract and violation of Florida’s Deceptive and Unfair Trade Practices Act.
Per the settlement, $550,000 will be used to compensate class action members who suffered an out-of-pocket loss and $325,000 will be reserved for members who experienced an “eligible incident,” like a fraudulent tax return.
Lincare has also implemented, or has agreed to implement, additional security measures, including an external HIPAA risk assessment every two years; an annual risk assessment of employees’ data; updated spam filter; and employee education.
As part of the agreement, Lincare admits to no wrongdoing.