Evan Sweeney reports:
The country’s largest provider of home respiratory supplies has agreed to pay $875,000 to settle a class-action lawsuit from former employees whose information was exposed during a 2017 data breach.
The settlement (PDF) resolves a lawsuit filed last fall that claimed Lincare failed to implement “the most basic security safeguards” to prevent a breach. A human resources employee fell victim to a phishing scam in February 2017 in which the sender claimed to be a Lincare executive asking for employee W-2s.
Read more on FierceHealthcare.
This is the second time Lincare has taken a financial hit over a data breach. As reported previously, in February, 2016, an HHS Administrative Law Judge upheld a monetary penalty of $239,800 that OCR had levied over another breach. In that case, a Lincare employee had left behind documents containing the protected health information (PHI) of 278 patients after moving residences. Evidence established that this employee removed patients’ information from the company’s office, left the information exposed in places where an unauthorized person had access, and then abandoned the information altogether.
And for those keeping score, that’s the second breach attributable to human error or employees not doing what they should be doing. There might be a lesson to be learned in there somewhere. Both employee information and patient information need to be adequately protected.