Former employees sue respiratory therapy supplier Lincare over February data breach

The nation’s largest supplier of home respiratory-therapy products, which was previously fined for violating HIPAA, is now being sued by a group of former employees, who say the company failed to implement “the most basic security safeguards” which led to a breach of their personal data.

The breach, which does not involve health information, occurred in February when a human resources employee was victimized by a phishing email in which the sender claimed to be a Lincare executive asking for W-2s for employees at the company. The lawsuit, filed in the Middle District of Florida, alleges the company didn’t do enough to protect employee information or train employees to recognize targeted email scams.

Phishing scams involving W-2s and employee records are commonplace, particularly during tax season. Over the past several years, both the FBI and the IRS issued warnings about email fraud schemes directed towards businesses. 

Lincare provides respiratory therapy equipment for in-home use, typically for customers suffering from chronic obstructive pulmonary disease. Headquartered Florida, Lincare operates more than 1,000 locations across the country with more than 14,000 employees.

RELATED: Unintended disclosure accounts for a big chunk of data breaches in 2017, and spear phishing is on the rise

Although the company provided credit monitoring after the breach, the group of former employees argues it was a “minor half-measure that did not safeguard and protect the already released” information. The employees also claimed Lincare “squarely placed the burden” on employees to mitigate the damages of the breach.

In addition to relief for damages, the plaintiffs requested Lincare provide employees at least 25 years of bank monitoring, credit restoration services and identity-theft insurance.

A Lincare spokesperson declined to comment on the lawsuit.

It’s not the first time Lincare’s cybersecurity practices have been questioned. In 2016, the Office for Civil Rights fined the company nearly $240,000 failure to implement written policies and procedures to protect patient information that was taken off-site.

However, recent legal cases have raised questions about an employer’s duty to protect employee information. A lawsuit against the University of Pittsburgh Medical Center following a data breach that exposed personal information of nearly 62,000 employees is scheduled to go before the state Supreme Court after the Superior Court ruled there was no implied agreement for UPMC to keep employee information safe.