Emanate Health’s Third-Party Vendor, PaperlessPay Corporation, Suffers Data Breach Involving Personal Information of Emanate Former and Current Employees

Kehoe Law Firm, P.C. is making consumers aware that Emanate Health filed a sample breach notification letter with the State of California Department of Justice, Office of the Attorney General, advising current and former employees about a data breach involving Emanate Health’s third-party vendor, PaperlessPay Corporation (“PaperlessPay”), which Emanate Health has contracted to process and deliver electronic pay stubs and W-2 tax forms.  According to the breach notification letter, the data breach involves the personal information of former and current employees of Emanate Health. 

According to the breach notification letter:

[Emanate Health] received notice from PaperlessPay on March 20, 2020 informing [Emanate Health] that an unauthorized person gained access to its computer server. PaperlessPay learned of the incident on February 19, 2020 when the Department of Homeland Security (“DHS”) contacted PaperlessPay to inform them that an unknown person was purporting to sell “access” to the PaperlessPay database on the dark Web.

. . .

The [data breach] investigations confirmed that an unknown individual accessed PaperlessPay’s SQL server where employee data is stored on February 18, 2020. The available evidence has not, however, allowed DHS, the FBI, or PaperlessPay’s cybersecurity firm to determine what data the individual may have accessed or viewed while connected to the SQL server. It is possible the person only used the access to determine the size of the SQL database and to stage it for subsequent access that could be sold to others, and that the individual did not directly access any employee data. However, the individual would have had the capability to run queries against the SQL database and view its data, so PaperlessPay cannot rule out the possibility of unauthorized access or acquisition of your personal information.

. . . The information stored in the SQL server about employees consists of the data components that appear on their pay stubs and tax forms, including their name, address, pay and withholdings, last four digits of bank account number (if that information is included on the pay stubs), and Social Security number. These data components are stored on the SQL server in different tables that are associated by user ID numbers, not names, within each table. Therefore, the only way to associate any data with an individual would be to run a query against the database and have it aggregate an individual’s name with his or her other data components. PaperlessPay could not conclusively determine whether such queries were run. No bank account passwords or access codes were stored on the SQL server. 

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or e-mail [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.