Legal News

Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation

Posted by HIPAA Journal

In 2016, Radnor, PA-based Main Line Health Inc., terminated an employee for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by accessing the personal records of a co-worker without authorization on two separate occasions.

In such cases, when employee or patient records are accessed without authorization, employees face disciplinary action which can include termination. Gloria Terrell was one such employee who was terminated for violating company policies and HIPAA Rules. Main Line Health fired Terrell for “co-worker snooping.”

Terrell filed an internal appeal over her termination and maintained she accessed the records of a co-worker in order to obtain a contact telephone number. Terrell said she needed to contact the co-worker to make sure a shift would be covered, and this constituted a legitimate business reason for the access as she was unable to find the phone list with employees’ contact numbers.

After firing Terrell, Main Line Health appointed a significantly younger person to fill the vacant position. Terrell took legal action against Main Line Health in September 2016 claiming age discrimination. In the lawsuit, Terrell claimed Main Line Health had experienced similar snooping incidents in the past and failed to apply the same rules for younger employees. Terrell claimed she knew of three younger co-workers who were not terminated following the discovery of HIPAA violations. However, Terrell could not substantiate those assertions and all three employees denied they had been involved in any improper accessing of patient records.

Main Line Health explained appropriate training on HIPAA Rules and company policies had been provided to staff on multiple occasions and that there were established policies related to the protection of confidential employee and patient information. Those policies clearly state disciplinary action will be taken if company policies and HIPAA Rules are violated, which may include immediate discharge from employment.

Main Line Health maintained Terrell was terminated for a legitimate, non-discriminatory reason, and since the case failed to raise a triable issue, Main Line Health was entitled to a summary judgement.

Terrell’s case (Gloria Terrell v. Main Line Health, Inc., et al – Civil action No. 17-3102) went to federal court in the Eastern District of Pennsylvania. U.S District Court Judge Richard Barclay Surrick recently granted Main Line Health’s summary judgement, ruling Terrell failed to establish a viable age discrimination claim.

“In short, other than her own subjective beliefs, Plaintiff has offered no evidence from which a reasonable factfinder could conclude that Defendant’s proffered reason for terminating her lacks credibility. She has provided no evidence to support a finding of discrimination,” wrote Judge Barclay Surrick. “Although one may have reservations about the wisdom of terminating an employee with Plaintiff’s experience and tenure for electronically accessing a phone number that had already been made available to co-workers in paper form, it is not for this Court to sit as a super-personnel department that re-examines an entity’s business decisions.”

The post Federal Court Rules in Favor of Main Line Health in Age Discrimination Case Over HIPAA Violation appeared first on HIPAA Journal.

District Court Ruling Confirms No Private Cause of Action in HIPAA

Posted by HIPAA Journal

Patients who believe HIPAA Rules have been violated can submit a compliant to the Department of Health and Human Services’ Office for Civil Rights, but they do not have the right to take legal action, at least not for the HIPAA violation. There is no individual private cause of action under HIPAA law.

Several patients have filed lawsuits over alleged HIPAA violations, although the cases have not proved successful. A recent case has confirmed once again that there is no private cause of action in HIPAA, and lawsuits filed solely on the basis of a HIPAA violation are extremely unlikely to succeed.

Ms. Hope Lee-Thomas filed the lawsuit for an alleged HIPAA violation that occurred at Providence Hospital in Washington D.C., where she received treatment from LabCorp. Ms. Lee-Thomas, who represented herself in the action, claims that while at the hospital on June 15, 2017, a LabCorp employee instructed her to enter her protected health information at a computer intake station.

Ms. Lee-Thomas told the LabCorp employee that the information was in full view of another person at a different computer intake station and took a photograph of the two computer intake stations.

On July 3, 2017, Ms. Lee-Thomas submitted a complaint with the hospital alleging a violation of HIPAA and filed a complaint with the HHS’ Office for Civil Rights. Later, a complaint was filed with the District of Columbia Office of Human Rights (OHR) claiming the hospital had failed to make appropriate accommodations for patients to preserve their privacy.

On November 15, 2017, the HHS informed Ms. Lee-Thomas that her claim would not be pursued and OHR similarly dismissed her complaint on November 28, 2017, in both cases on the grounds that she failed to state a claim. OHR suggested Ms. Lee-Thomas had the right to bring a private action before the D.C. Superior Court and she proceeded to do so.

LabCorp removed the case to the U.S. Court of Appeals for the District of Columbia Circuit, and filed a motion to dismiss, again for the failure to state a claim. Ms. Lee-Thomas failed to respond to the motion to dismiss.

In a June 15 ruling, District Court Judge Rudolph Contreras confirmed that HIPAA does permit financial penalties to be issued when patients’ privacy is violated in breach of HIPAA Rules, but civil and criminal penalties are pursued by the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. In his ruling, Judge Contreras confirmed there is no private cause of action in HIPAA.

Even if there was a private cause of action, it would be unlikely that this case would have proved successful as no harm appears to have been caused as a result of the alleged HIPAA violation.

While lawsuits are likely to be dismissed when based on HIPAA violations alone, that does not mean legal action cannot be taken by patients whose privacy has been violated. There is no private cause of action in HIPAA, but the privacy of personal information is covered by state laws.

Laws have been passed in all 50 states that require notifications to be issued to consumers when their personal information has been exposed, and several states also require companies to implement ‘reasonable safeguards’ to ensure personal data of state residents are protected.

A HIPAA violation can be reported to OCR to investigate, and action may be taken against the covered entity in question by OCR, but if the sole basis of any legal action is a violation of HIPAA Rules, the case is unlikely to be successful.

Victims of privacy violations who wish to take legal action should look at potential violations of state laws rather than HIPAA violations.

The post District Court Ruling Confirms No Private Cause of Action in HIPAA appeared first on HIPAA Journal.

3-Year Jail Term for VA Employee Who Stole Patient Data

Posted by HIPAA Journal

A former employee of the Veteran Affairs Medical Center in Long Beach, CA who stole the protected health information (PHI) of more than 1,000 patients has been sentenced to three years in jail.

Albert Torres, 51, was employed as a clerk in the Long Beach Health System-run medical center – a position he held for less than a year. Torres was pulled over by police officers on April 12 after a check of his license plates revealed an anomaly – plates had been used on a private vehicle, which were typically reserved for commercial vehicles.

The police officers found prescription medications which Torres’ did not have a prescription for and the Social Security numbers and other PHI of 14 patients in his vehicle. A subsequent search of Torres’ apartment revealed he had hard drives and zip drives containing the PHI of 1,030 patients and more than $1,000 in cleaning supplies that had been stolen from the hospital.

After pleading guilty to several crimes, including identity theft and grand theft, Torres was sentenced to three years in state penitentiary on June 4.

Sutter Health Fires Employees for Attempted PHI Access

An undisclosed number of employees of Sutter Health have been fired for accessing the medical records of patients without authorization.

CBS 13 Sacramento reported that an anonymous source had confirmed that Sutter Health had fired two employees for searching for the medical records of the suspected Golden State Killer, Joseph DeAngelo.

Following the news report from CBS 13, Sutter Health spokesperson Gary Zavoral issued a statement confirming action had been taken in response to the improper accessing of PHI, according to the Sacramento Business Journal.

While Zavoral did not confirm the number of employees that had been terminated, nor the patient or patients whose medical records were accessed, he did confirm that the employees concerned had been terminated.

Sutter Health has a system in place that generates alerts when employees access medical records without authorization. When improper access is detected, it usually results in termination.

In addition to firing the employees concerned, Sutter Health has reminded all staff that the accessing of medical records is only permitted when there is a legitimate work reason for doing so. The person or persons whose medical records were accessed are being notified of the privacy breach.

The post 3-Year Jail Term for VA Employee Who Stole Patient Data appeared first on HIPAA Journal.

Lawsuits Filed Over Alleged HIPAA Violations

Posted by HIPAA Journal

Two lawsuits have recently been filed in relation to alleged breaches of Health Insurance Portability and Accountability Act (HIPAA) Rules, one by a former hospital employee and another by a patient whose privacy was allegedly violated by a CVS pharmacy employee.

Former Employee of Mosaic Life Care Medical Center Takes Legal Action over Dismissal

A former employee of Mosaic Life Care Medical Center in St. Joseph, MO is taking legal action over wrongful discharge and retaliation for her taking steps to avoid a violation of the False Claims Act.

Debra Conard, 57, alleges she was wrongfully terminated for raising concerns about unlawful, unethical, and fraudulent billing practices. According to the lawsuit, in April 2017, Conard was instructed by hospital officials to release charges for billing even though the documentation did not support the claims. Multiple charges were required to be pushed through, which would induce payment by Medicare and other third parties, even though Conrad could not verify that the claims were correct.

Conrad raised her concerns about potential violations of the False Claims Act and told her supervisor of the possibility of substantial fines. Under instruction, Conrad processed the claims but also included notes stating that the claims were not supported by the documentation and the claims had been authorized to be released even though she believed them to be fraudulent claims.

Conrad was subjected to disciplinary action, including suspension, which was due to her opposition to fraudulent billing. She complained about the disciplinary actions and was later accused of violating HIPAA Rules. She also complained about that allegation and was fired shortly after.

The lawsuit states, “Merely because plaintiff could see patient information while performing duties in the coding program (that she needed to access to perform her job), she was subject to discipline and suspension.” Conrad is seeking $75,000 in compensatory damages, lost wages, lost benefits, attorneys’ fees, and reinstatement.

Lawsuit Filed over Alleged Disclosure of Viagra Prescription

A New York man is taking legal action against CVS Pharmacy over an alleged privacy violation in which details of his prescriptions were disclosed over the telephone to his wife. The man had visited a Long Island branch of the pharmacy chain to fill a prescription for 100 mg of Viagra with five refills. The man wanted to pay for the drug personally rather than have it covered by his insurance.

The man’s wife contacted the same pharmacy by telephone a few days later about an unrelated matter and was allegedly told about her husband’s Viagra prescription over the telephone by a CVS Pharmacy employee. As a result of the disclosure, the main claims his marriage is broken and he has suffered a “genuine, severe mental injury and emotional harm”.

The man, identified as Michael Feinberg, claims his wife had no right to be told about his medication and that by disclosing the information to a third party (his wife) the pharmacy violated the HIPAA Privacy Rule.

Legal Action Being Considered Over EMS Worker’s Facebook Post

A woman from Roane County, TN, is considering taking legal action over a Facebook post made by an EMS worker who visited her property to provide treatment to her husband who had collapsed after suffering a heart attack while in his chicken coop.

Kathy Raymond attempted to save her husband’s life by providing cardiopulmonary resuscitation until the emergency services team arrived. They took over but were unable to save her husband’s life.

Following the visit, an EMS worker posted a message on Facebook about the incident. The message was – “well, we had a first … We worked a code in a chicken coop! Knee deep in chicken droppings.” WATE reports that further comments were added to the post by the worker, who stated, “it was awful” and that “I’m pretty sure y’all could smell us in dispatch.”

Raymond contacted Roane County EMS to complain about the EMS worker’s unprofessional and insensitive behavior and the matter was investigated internally.

No PHI was mentioned in the post although questions have been raised over a possible HIPAA violation. Since no PHI was disclosed, the county attorney does not believe HIPAA has been violated, but did say that the post should not have been made on social media.

The employee concerned has been reprimanded and talks have been scheduled with EMS workers to explain that no work matters should be discussed or posted on Facebook.

Raymond was not happy with the response to the incident and said, “this is wrong for her to just get a slap on the wrist. I don’t want her to be able to have a job as an EMS worker if she does not have more compassion than that. Even though she did not mention his name, she said it was the first time they had ever had a call in a chicken coop. Everybody knows where my husband died.”

The post Lawsuits Filed Over Alleged HIPAA Violations appeared first on HIPAA Journal.

Colorado Governor Signs Data Protection Bill into Law

Posted by HIPAA Journal

Colorado Governor John Hickenlooper has signed a bill – HB 1128 – into law that strengthens protections for consumer data in the state of Colorado. The bipartisan bill, sponsored by Reps. Cole Wist (R) and Jeff Bridges (D) and Sens. Kent Lambert (R) and Lois Court (D), was unanimously passed by the Legislature. The bill will take effect from September 1, 2018.

The bill requires organizations operating in the state of Colorado to implement reasonable security measures and practices to ensure the personal identifying information (PII) of state residents is protected. The bill also reduces the time for notifying the state attorney general about breaches of PII and introduces new rules for disposing of PII when it is no longer required.

Personal information is classed as first name and last name or first initial and last name in combination with any of the following data elements (when not encrypted, redacted, or secured by another means that renders the information unreadable):

  • Social Security number
  • Student ID number
  • Military ID number
  • Passport number
  • Driver’s license number or ID card number
  • Medical information
  • Health insurance ID number
  • Biometric data
  • Email addresses in combination with passwords or security Q&As
  • Financial account numbers, and credit cards and debit cards with associated security codes that would permit access/use

Reasonable Security Measures Must be Implemented

Covered entities will be required to implement and maintain “Reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” Those measures should protect PII from unauthorized access, modification, disclosure, and destruction. In cases where PII is passed to a third party, the covered entity must ensure the third party also has reasonable security measures in place.

A written policy must be developed by all businesses that maintain the personal information of Colorado residents covering the disposal of that information when it is no longer required. Electronic data and physical documents containing PII must be disposed of securely. The bill suggests “Shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.”

30-Day Maximum Time Limit for Issuing Breach Notifications

When the bill was first introduced, it required the state attorney general to be notified of a breach of PII within 7 days of discovery. Such a short time frame for issuing notifications can help to ensure prompt action is taken to prevent harm or loss, although such a short time frame means notifications would need to be issued before it would be possible, in many cases, to determine whether there had been any misuse of data. This requirement of the bill attracted considerable criticism from large businesses operating in Colorado.

After careful consideration, this requirement was amended and the time limit for issuing notifications has been extended to 30 days following the discovery of the breach. Even so, this makes the notification requirements the strictest of any state.  The state attorney general only needs to be notified of the breach if it has impacted more than 500 Colorado residents. Regardless of the scale of the breach, affected individuals must be notified within 30 days.

HIPAA-covered entities should note that the 30-day time limit will apply even though HIPAA allows up to 60 days to issue notifications. HIPAA-covered entities and entities covered by the Gramm-Leach-Bliley Act are not exempt.

Breach notices are required for any security breach that exposes personal information, except a good faith acquisition of personal information by an employee or agent of a covered entity if the information is not used for a purpose unrelated to the lawful operation of the business and if that information is not subject to further unauthorized disclosure.

A notice must also be placed on the website of the breached entity and a notification issued to statewide media.

The post Colorado Governor Signs Data Protection Bill into Law appeared first on HIPAA Journal.

Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach

Posted by HIPAA Journal

There have been further developments in the ongoing legal battles over a 2017 privacy breach experienced by Aetna involving the exposure of patients’ sensitive health information. A further lawsuit has been filed by the insurer in an attempt to recover the costs incurred as a result of the breach.

Ongoing Legal Battles Over the Exposure of Patients’ HIV Statuses

In 2017, the health insurer Aetna experienced a data breach that saw highly sensitive patient information impermissibly disclosed to other individuals. A mailing vendor sent letters to patients using envelopes with clear plastic windows and information about HIV medications were allegedly visible. The mailings related to HIV medications used to treat patients who had already contracted HIV and individuals who were taking drugs as pre-exposure prophylaxis. Approximately 12,000 patients received the mailing.

Lawsuits were filed on behalf of patients whose HIV positive status was impermissibly disclosed, which were settled in January for $17.2 million. A settlement was agreed with the New York state attorney general for a further $1.15 million to resolve the privacy violations.

Following on from those settlements, Aetna attempted to recover the cost of the settlements from Kurtzman Carson Consultants, the administrator who allegedly directed the mailing vendor to send the letters to patients that exposed their PHI. Aetna maintains that Kurtzman Carson Consultants did not communicate to Aetna that the mailing was being sent using windowed envelopes. The lawsuit is ongoing.

Further Lawsuit Filed Against Two Firms Representing Breach Victims

Now a lawsuit has been filed by Aetna against the law firm Whatley Kallas and the Californian advocacy group Consumer Watchdog in an attempt to recover at least part of the $20 million in settlements already paid. Consumer Watchdog and Whatley Kallas represented patients in a previous case that led to the sending of the notification letters that exposed patients’ sensitive information.

The privacy breach that led to the $20 million settlement occurred in response to a previous privacy incident that Aetna was sued over. That initial privacy breach related to a requirement for patients who had been prescribed HIV medication to receive the drugs by mail rather than collecting them in person. Since the drugs need to be kept refrigerated, and are dispatched in refrigerated containers, it was alleged that this would violate patients’ privacy as it would be clear to neighbors and co-workers that HIV drugs were being delivered.

The latest lawsuit alleges the plaintiffs were responsible for requiring Aetna to send sensitive information to the Kurtzman Carson Consultants, which Aetna was against and that after that information was passed to Kurtzman Carson Consultants, the plaintiffs failed to ensure the confidential information was protected.

Whatley Kallas had recommended using Kurtzman Carson Consultants and Consumer Watchdog were involved to make sure Aetna made good on its promise to change the requirements for patients to have the drugs sent by mail.

Harvey Rosenfield and Jerry Flanagan of Consumer Watchdog explained to Reuters, that they “edited the text of the letter to make sure we held Aetna’s feet to the fire,” but did not receive any protected health information and were not aware that windowed envelopes were being used and maintain Aetna is making “frivolous claims.”

“If Aetna believes that an attack on lawyers for Consumer Watchdog and Whatley Kallas LLP will be a cost-free exercise in retaliation, it is deeply mistaken,” wrote Rosenfield and Flanagan in a letter to the insurer, concluding “Aetna would be well advised to focus on remediation of its privacy practices on a nationwide basis as we are seeking in this action, instead of pursuing abusive and retaliatory tactics that seek to evade liability for its own failings and suggest that Aetna still does not take responsibility for ensuring that its customers’ private medical information is protected.”

While this may appear to be a case of passing the buck at face value, the case is not as frivolous as it may sound. According to Aetna, the law firm representing the plaintiffs in the original case were allegedly party to a proposal that stated windowed envelopes were going to be used, but the law firm failed to raise a red flag.

The post Aetna Files Further Lawsuit in an Attempt to Recover Costs from 2017 HIV Status Privacy Breach appeared first on HIPAA Journal.

Jury Must Decide Whether Psychiatrist was Sacked for a HIPAA Violation

Posted by HIPAA Journal

Boston-based Steward Healthcare System terminated a psychiatrist for violating HIPAA Rules but must now prove to a jury that was the case. The psychiatrist claims he was fired in retaliation over taking extended disability leave, not for a HIPAA violation.

Dr. Alexander Lipin contracted pneumonia and requested extended disability leave under the Family Medical Leave Act (FMLA). Extended leave was granted by Steward Healthcare System and Lipin was due to return to work on March 2, 2016. However, Lipin was fired on February 23 while still on disability leave over a HIPAA violation, which his attorney, Kavita M. Goyal, claims was used as an excuse for the termination.

Steward Healthcare System alleged Lipin had violated HIPAA Rules by providing patients’ protected health information to law enforcement. According to Steward Medical Group President, George Clairmont, the decision had been taken to fire Lipin over the HIPAA violation before he took leave. Clairmont also stated Lipin was fired after it was discovered he was working for Anna Jaques Hospital while on leave.

Lipin sued Steward Medical Group inc., Steward Healthcare System, and Holy Family Hospital over his dismissal. The case was removed to federal court in November 2016, and Steward Healthcare filed a motion for a summary judgement on the case.

Massachusetts federal judge, Leo. T. Sorokin, ruled that the case should proceed to trial to establish the facts surrounding the dismissal. Steward Healthcare will now be required to convince a jury that the decision to fire the psychiatrist was based on the HIPAA violation and not the discovery that Lipin was working for another hospital while on disability leave.

Clairmont maintains the decision to fire Lipin was made before he went on leave on January 26. The HIPAA violation was discovered on January 16 and the decision was taken to fire Lipin. Lipin was not fired immediately as advice was sought from the company’s legal department over the nature of the termination – whether it should be for cause, effective immediately, or without cause, in which case 90 days’ notice or pay in lieu of notice would be required.

Lipin took leave and notified Steward Healthcare on February 5 that he would remain on leave until February 17, and on February 12 told Steward Healthcare that he would need to remain on leave until February 23. On February 20, leave was extended until March 2.

On February 13, Steward Healthcare learned that Lipin was continuing to work for Anna Jaques Hospital in the mornings while on leave, and Lipin was terminated ten days later on February 23.

While Judge Sorokin explained that no evidence exists in the record that directly contradicts Clairmont’s account, “A factfinder could reasonably choose to disregard Clairmont’s testimony in light of the lack of any action taken by Steward to arrange coverage for Lipin’s patients or to terminate Lipin’s employment before February 13, especially when this inaction is contrasted with Steward’s concerted steps to fire Lipin after February 13,” wrote Judge Sorokin, “These circumstances could support a reasonable inference that Steward decided to fire Lipin only after Clairmont learned of Lipin’s work at Anna Jaques.”

An initial pre-trail conference has been scheduled for May 30, 2018.

The post Jury Must Decide Whether Psychiatrist was Sacked for a HIPAA Violation appeared first on HIPAA Journal.

South Carolina Insurance Data Security Act Signed into Law

Posted by HIPAA Journal

On May 14, 2018, South Carolina Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law. The Act closely follows the Insurance Data Security Model law drafted by the National Association of Insurance Commissioners (NAIC) in 2017.  South Carolina is the first state to implement a comprehensive cybersecurity law covering the insurance industry.

From January 1, 2019, when the South Carolina Insurance Data Security Act becomes effective, all licensees of the South Carolina Department of Insurance will be required to comply with the Act.

The Act requires all insurers, agents, and other licensed entities to develop a comprehensive written information security program within six months of the compliance date. The cybersecurity program should be commensurate with the size and complexity of the company, the nature and scope of its activities, and the sensitivity of nonpublic information used/stored by the company.

The cybersecurity program should be guided by a comprehensive risk analysis and should mitigate all risks identified by that risk analysis. The Act does not specify the safeguards that should be implemented to ensure the confidentiality and security of data, but the safeguards must be appropriate to the level of risk and should include administrative, technical, and physical controls.

The cybersecurity program must protect the security and confidentiality of nonpublic information, protect against threats or hazards to the security or integrity of information, protect against unauthorized access, and define a schedule for the retention of data and a mechanism for its secure destruction when data are no longer required. Licensees must designate an individual, third party, or affiliate who is responsible for the information security program.

The types of controls that must be implemented include: Access controls, authentication controls, physical controls to prevent access to nonpublic information, encryption (or an alternative, equivalent measure) to secure data stored on portable electronic devices and for data transmitted over an external network. Licensees must also identify and manage devices that connect to the network

Licensees must adopt secure development practices for in-house applications, use multi-factor authentication to prevent unauthorized accessing of nonpublic information, regularly test and monitor systems for actual and attempted attacks, maintain audit trails, and implement measures to prevent the unauthorized destruction or loss of nonpublic information.  Licensees are also required to keep up to date on emerging threats and vulnerabilities.

The Act also requires boards of directors to oversee the security program, with executive management submitting reports on the status of the program and material matters such as risk assessments, third-part service provider arrangements, test results, and cybersecurity events at least annually.

The Act requires a written cybersecurity response plan to be developed to ensure a rapid response is possible in the event of a cybersecurity incident. A cybersecurity event is defined as “an event resulting in unauthorized access to or disruption or misuse of an information system or information stored on an information system.”

There are also requirements for investigating cybersecurity incidents promptly. The Director of the Department of Insurance must be notified about cybersecurity incidents within 72 hours of discovery if the licensee is based in South Carolina or the incident impacts more than 250 South Carolina residents.

The post South Carolina Insurance Data Security Act Signed into Law appeared first on HIPAA Journal.

Lincare Settles W-2 Phishing Scam Lawsuit for $875,000

Posted by HIPAA Journal

The respiratory therapy supplier Lincare Inc., has agreed to settle a class-action lawsuit filed by employees whose W-2 information was sent to cybercriminals when an employee responded to a phishing scam.

On February 3, 2017, a member of Lincare’s human resources department received an email from a high-level executive requesting copies of W-2 information for all employees of the firm. Believing the email was a genuine request, the employee responded and attached W-2 information for ‘a certain number of employees of Lincare and its affiliates.’

After discovering the accidental disclosure of sensitive information, Lincare contacted affected employees and offered them two years of credit monitoring, identity theft insurance, and remediation services without charge.

On October 16, 2017, three employees – Andrew Giancola, Raymond T. Scott, and Patricia Smith – took legal action against Lincare alleging negligence, breach of implied contract, breach of fiduciary duty, and violation of Florida’s Deceptive and Unfair Trade Practices Act.

The lawsuit survived a motion to dismiss and following mediation a settlement was agreed. Lincare has agreed to pay $875,000 to settle the case with no admission of liability. $550,000 will be paid in compensation for class members with a further $325,000 reserved to compensate class members who experience an eligible incident such as the filing of a fraudulent/false tax, opening of a fraudulent/false loan, or the opening of a fraudulent/false credit card.

W-2 Phishing Scams and How to Protect Against Them

Last year, more than 100 U.S. organizations fell victim to W-2 phishing scams during tax season, resulting in the disclosure of more than 120,000 employees’ W-2 information. Many of the employees whose personal information was exposed had their identities stolen and fraudulent tax returns filed in their names.

W-2 phishing scams are simple but highly effective. These Business Email Compromise (BEC) attacks involve a scammer posing as a senior executive. An email is sent to an employee in the finance, payroll, or HR department requesting copies of W-2 Forms of employees who have worked for the company in the past year.

In some cases, the email address of an executive is spoofed, although the most effective campaigns involve the use of the executive’s email account. Access to the account is usually gained through a phishing attack or by guessing a weak password using brute force tactics. The scam abuses trust in executives and the unwillingness of employees to question requests from senior executives.

Last year both the FBI and the IRS issued warnings over the sharp rise in BEC attacks during tax season, many of which targeted healthcare organizations and educational institutions. Databreaches.net tracks reports of successful W-2 phishing attacks and detailed 145 attacks in 2016 and well over 100 in 2017. The true figure will undoubtedly be considerably higher as not all companies publicly announce that they have fallen for such a scam.

The cost of the attacks can be considerable for the victims and, as this settlement shows, the companies whose employees have been fooled by the scams.

Preventing attacks requires a combination of administrative and technical measures.

  • Spam filtering solutions can reduce the potential for phishing emails to be delivered to employees and can block spoofed emails, although they will not block emails sent from a compromised email account.
  • The workforce, especially finance, payroll, and HR employees, should receive security awareness training and be alerted to the threat.
  • Consider introducing internal policies that prohibit executives from making requests for W2 information via email.
  • Policies should be developed that require any request for W-2 information via email to be verified by phone or face to face before any data are provided.

The post Lincare Settles W-2 Phishing Scam Lawsuit for $875,000 appeared first on HIPAA Journal.