PaperlessPay Data Breach of Client Database Exposed PII on Dark Web

PaperlessPay Data Breach of Client Database Exposed PII on Dark Web

Data Breach Exposed Personally Identifiable Information Of Clients Contained on PaperlessPay’s Servers and Systems – Payroll Service Clients Acknowledge Being Affected by Data Breach

Kehoe Law Firm, P.C. is making consumers aware that in a “Notice of Data Breach filed with the State of California Department of Justice, Office of the Attorney General, Marshall Medical Center (“MMC”) stated that “[o]n March 20, 2020 PaperlessPay contacted MMC that . . . the Department of Homeland Security . . . contacted PaperlessPay [about] an unknown person . . . purporting to sell ‘access’ to PaperlessPay’s client database on the dark web.”

MMC’s data breach notice stated that through a joint FBI and DHS investigation, as well as MMC’s own internal investigation, “. . . PaperlessPay confirmed that an unknown person . . . on February 18, 2020 accessed PaperlessPay’s database where MMC employees’ data was stored.” According to MMC’s breach notification, “[t]he information stored in PaperlessPay’s database regarding MMC employees consists of the data elements that appear on employee pay stubs and tax forms, including name, address, pay and withholdings, and Social Security number.” [Emphasis added.]

In another “Notice of Data Breach” filed with the State of California Department of Justice, Office of the Attorney General, Community Memorial Health System (“CMHS”) stated that they ” . . . were notified by PaperlessPay Corporation . . . in a letter dated March 20, 2020, that on February 19, 2020, they were contacted by the Department of Homeland Security . . . regarding a possible breach of their systems. PaperlessPay is a vendor hired by CMHS to house pay stubs and assist with W-2 forms. DHS notified PaperlessPay that there was an unknown person purporting to sell ‘access’ to their client database on the dark web.” CMHS’s data breach notice also stated that

[t]he impacted server stored pay stub and tax forms that contain name, address, pay and withholdings information, bank account number information (if this appears on [one’s] paystub), and Social Security number. With respect to bank account information, note that bank information for employees who receive a single deposit was not provided to Paperless Pay. Bank account information is, however, provided for those employees who receive multiple deposits. Specifically, for multiple deposit employees, PaperlessPay would have had access to a full bank account number for each account that is being deposited, but not to bank account routing numbers or bank names. [Emphasis added.]

The Orlandosentinel.com reported (“OUC pay stubs, W2s for 2,100 workers target of possible ‘data attack'”) that “[a] data breach may have occurred with payroll information for 2,100 current and former Orlando Utilities Commission employees, according to a warning letter to workers distributed by OUC management.” Reportedly, “. . . in [a] warning email . . . OUC management said that PaperlessPay Corp., after cooperating with federal law enforcement, ‘cannot definitively rule out the possibility’ that employee pay information was taken in a data breach.” [Emphasis added.]

A class action complaint, filed on May 22, 2020 in United States District Court, Middle District of Florida, against PaperlessPay Corporation, Fareway Stores, Inc., Mark Broughton, and Reynolds Cramer, alleged that  “PaperlessPay only notified [e]mployers of the Data Breach on approximately March 20, 2020, over a month after the breach was first discovered[,]” and “[w]hile PaperlessPay ultimately notified [e]mployers of the [d]ata [b]reach, PaperlessPay made the deliberate decision not to notify individuals whose data was impacted by the [d]ata [b]reach.”

According to the class action complaint:

[t]he stolen PII [Personally Identifiable Information] has great value to hackers due to the sheer number of individuals affected and the fact that bank account information and Social Security numbers were compromised.

For example, PaperlessPay currently states on its website that it has 2,272,690 users (who are the employees of the affected Employers), thus making it possible that millions of individuals had their PII stolen.

Additionally, although Defendant Fareway Stores, Inc. is just one of PaperlessPay’s customers, Fareway has notified 30,519 individuals in the state of Iowa alone that their PII was compromised.

Based on disclosures made by [e]mployers to certain states, only a handful of [e]mployers have notified their employees that their PII was compromised in the [d]ata [b]reach. These [e]mployers include: Fareway Stores, Inc.; Marshall Medical Center (El Dorado, California); Community Memorial Health System (Claysburg, Pennsylvania); Orlando Utilities Commission (Orlando, Florida); City of Fort Lauderdale; Lee Auto Malls (Auburn, Maine); Spencer Municipal Hospital (Spencer, Iowa); MP Environmental Services, Inc. (Bakersfield, California); Riverwood Healthcare Center (Minneapolis, Minnesota); and PCL Construction, Inc. (Denver, Colorado).

Given the fact that PaperlessPay states it has 1,500 clients, it is likely that hundreds of employers have not yet notified at least tens of thousands of employees that their PII was compromised. [Emphasis added.]

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or e-mail [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.