PaperlessPay Corp. Data Breach of Payroll Information Class Action

PaperlessPay Corporation does payroll for other companies. The complaint for this class action alleges that PaperlessPay is responsible for a data breach it suffered, exposing the personally identifying information (PII) of employees for Prisma Health-Midlands (PHM) and other companies.

The class for this action is all persons whose PII was compromised in the data breach and who were sent notice of the data breach. A PHM Subclass has been defined to include empolees of PHM.

The complaint claims, “On or about February 29, 2020, the Department of Homeland Security (‘DHS’) notified Paperlessay that a dark web advertisement offered for safe ‘access’ to PaperlessPay’s SQL database server.”

“Over the following weeks,” the complaint alleges, PaperlessPay cooperated with the joint investigation conducted by [DHS] and the [F]ederal Bureau of Investigation (‘FBI’).”

In addition, PaperlessPay hired a cybersecurity company, Ankura, to investigate. Ankura found that “at a minimum, on February 18, 2020, an unauthorized individual entered the server which stored the employee data … and possibly staged an exfiltration from the server.”

On or around March 20, 2020, PaperlessPay informed the companies whose employee data was on the server of the data breach. Unfortunately, it was not able to confirm the extent of the access.

The PII exposed in the cyberattack included names, addresses, full bank account numbers, payroll and withholding information, and Social Security numbers. The information belonged not just to employees of PHM but also of Marshall Medical Center (MMC), Community Memorial Health System (CMHS), Orlando Utilities Commission (OUC), MP Environmental Services, Inc. (MPE), Fareway Stores, Inc. (Fareway), and Lee Auto Malls.

Most of these companies offered affected employees a year or two of credit monitoring when they sent them notice of the breach. (OUC only sent notice, without any offer of credit monitoring.) However, the complaint notes that stolen identity information may be held for years before it is used.

The complaint alleges that PaperlessPay “failed to properly monitor the computer network and systems that housed the PII. Had PaperlessPay properly monitored its property, it would have discovered the intrusion sooner.”

Also, it says that PaperlessPay and PHM “maintained the PII in a reckless manner. In particular, the PII was maintained on Defendant PaperlessPay’s computer network in a condition vulnerable to cyberattacks. Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of … PII was a known risk” to PaperlessPay and PHM.

The counts in the complaint include negligence, breach of express contract, breach of implied contract, intrusion upon seclusion/invasion of privacy, and breach of confidence.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

PaperlessPay Corp. Data Breach of Payroll Information Complaint

September 4, 2020

PaperlessPay Corporation does payroll for other companies. The complaint for this class action alleges that PaperlessPay is responsible for a data breach it suffered, exposing the personally identifying information (PII) of employees for Prisma Health-Midlands (PHM) and other companies.

PaperlessPay Corp. Data Breach of Payroll Information Complaint

Case Event History

PaperlessPay Corp. Data Breach of Payroll Information Complaint

September 4, 2020

PaperlessPay Corporation does payroll for other companies. The complaint for this class action alleges that PaperlessPay is responsible for a data breach it suffered, exposing the personally identifying information (PII) of employees for Prisma Health-Midlands (PHM) and other companies.

PaperlessPay Corp. Data Breach of Payroll Information Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy