This is a scary story about how one healthcare company didn’t avoid a data breach lawsuit that it could have entirely prevented. Last October, three former employees of Lincare, an in-home respiratory care provider, filed a lawsuit claiming that thousands of the company’s employees had been endangered by a data breach caused by inadequate data security policies and procedures. The breach, which occurred because a human resources employee failed to identify a phishing scam, may have affected 14,000 employees nationwide.
It began as many scams do: the employee in question received an email claiming to be from a Lincare executive and asking for employees’ W-2 tax forms. Without checking to determine whether the email was legitimate—and without any additional security protocols in place—the employee sent sensitive information directly to a scammer’s inbox. The information included names, addresses, Social Security numbers, and earnings.
Lack of Proper Security
In their lawsuit, the former employees allege that Lincare Holdings does not implement even “the most basic security” for their employee information. Under Florida law, the company could be saddled with charges as diverse as negligence, breach of implied contract, and breaching of fiduciary duty—which requires companies to act in their employees’ and clients’ best interest. Failing to secure the data appropriately and completely may also violate Florida’s Deceptive and Unfair Trade Practices Act.
This was not the first time that Lincare Holdings has run into trouble with their data security procedures. In 2016, the company also received a $240,000 civil monetary penalty for lacking the procedure to protect patients’ healthcare records in compliance with HIPAA. That breach occurred because an employee left files containing personal healthcare information in an old residence after moving away. In that incident, 278 patient records were compromised.
While Lincare Holdings implemented re-training procedures for all of its human resources personnel and offered its employees two years of free identity theft protection, the employee suit alleges that employees’ sensitive information is likely “in the possession of an unknown third party or parties who have already used the PII for illegal purposes and will be able to continue doing so indefinitely." In fact, Lincare alerted employees last April that some of their personal information had been used to obtain fraudulent student loans.
How To Avoid a Data Breach Lawsuit
The easiest way to avoid a data breach lawsuit is not to guard against the data breach in the first place. Lincare Holdings is a large national healthcare business—with over 1,000 locations in the United States—but with the same data security issues often appear in small medical offices like yours. In the digital era, healthcare providers need to ensure that their patient and employee data is as secure as possible.
Ask yourself the following questions:
- Do my employees’ email accounts have advanced spam filters to prevent scamming and phishing emails from getting to their inbox?
- Do I give all my employees -- not just technical support -- proper information-security training?
- Have I implemented data security protocols around sensitive patient and employee information?
- Do my systems have multiple layers of security and authentication?
- Are my employees aware that personal information should never be sent in an unencrypted form?
If you answered “no” or “I don’t know” to any of these questions, then you may have a serious data security problem in your medical office. How Secure is your business? You need to know that nothing like this could happen to you. Ask us for a Preliminary Security Analysis. Getting started takes less than a minute.
And if you have security issues and vulnerabilities, Digital Uppercut can help you not only avoid a data breach, but to avoid a data breach lawsuit, too. Our Managed Security and Compliance Services ensure that sensitive information is kept under lock and key and compliant with HIPAA guidelines while still allowing your practice to function efficiently. Plus, we offer advanced employee training so that everyone in your office is informed about proper security protocol. To learn more about our services, please contact us at 818-913-1335!