Paratransit Services, which provides non-emergency medical and public transportation services in Washington, Oregon and California, fell for an email phishing scam in early March and released all current and former 2016 Paratransit employees’ W-2 forms to an unknown party.
The company is also a regional broker for providing transportation for Medicaid clients to and from Medicaid-covered appointments. It also runs RiverCities LIFT in Cowlitz County, which transports disabled people unable to ride the regular RiverCities Transit bus service.
W-2 forms include the employee’s name, address, Social Security number and wage information. Paratransit provided all those affected by the breach with a free 24-month subscription to Equifax, which is a credit monitoring and identity theft protection company.
It is unclear whether any employees have had identity theft or fraud problems since the breach.
In late April, current and former Paratransit employees received a letter informing them of a data breach and that their personal security may have been compromised. The letter, which was sent by Paratransit CEO David Baker, states that the company received an email on March 10 from someone pretending to be the President/CEO of the company. The email asked for PDF copies of all 2016 Paratransit employees’ W-2 forms.
You have free articles remaining.
Paratransit did not discover the data breach or that the email was fraudulent until a month later, on April 11. The company notified employees on April 28.
Paratransit Services sent a general statement in response to interview requests from The Daily News, but the company declined to elaborate on the number of employees affected by the data breach, how it happened or why it took the company a month to notice and respond to the fraudulent email.
The letter sent to employees states that Paratransit officials don’t believe the person who sent the email gained access to the computer network or compromised the company’s IT systems.
The letter to employees also states that the company is implementing “additional safeguards” and will “provide additional mandatory training to our employees on safeguarding the privacy and security of information on our systems.” The letter states that Paratransit officials have contacted the IRS, FBI and respective state Attorneys General.