Respiratory therapy supplier Lincare agrees to pay $875K to settle data breach lawsuit

The country’s largest provider of home respiratory supplies has agreed to pay $875,000 to settle a class-action lawsuit from former employees whose information was exposed during a 2017 data breach.

The settlement (PDF) resolves a lawsuit filed last fall that claimed Lincare failed to implement “the most basic security safeguards” to prevent a breach. A human resources employee fell victim to a phishing scam in February 2017 in which the sender claimed to be a Lincare executive asking for employee W-2s.

The Florida-based company provides in-home respiratory therapy equipment for customers suffering from chronic obstructive pulmonary disease. Lincare has more than 14,000 employees across more than 1,000 locations.

A Lincare spokesperson declined to comment. 

RELATED: Former employees sue respiratory therapy supplier Lincare over February data breach

Although the breach did not involve patient information, it served as a reminder that healthcare organizations are also susceptible to breaches involving employees, with significant liability in some cases.

Lincare offered credit monitoring to employees after the breach was discovered, but plaintiffs described that as a “minor half-measure that did not safeguard and protect the [information] already released.”

As part of the settlement, Lincare did not admit to any wrongdoing. The $875,000 will be divvied up into two funds, with $550,000 to compensate class members that suffered an out-of-pocket loss and $325,000 reserved for members that experienced an “eligible incident,” such as a fraudulent tax return, or a fraudulent loan or credit card.

RELATED: Data breaches are drawing more scrutiny from both federal and state regulators

The settlement comes as healthcare data breaches are drawing more scrutiny from federal and state regulators. Healthcare companies are also finding themselves in legal hot water as hacker groups continue to prey on long-standing vulnerabilities.

A case brought by employees of the University of Pittsburgh Medical Center has made its way to the Pennsylvania Supreme Court. The state court will weigh in on whether the provider is responsible for safeguarding employee information after a 2014 breach exposed information for 62,000 employees.