Communications Litigation Today was a Warren News publication.
'Negligent Hiring'

Fla. Doctor's Phone Number, Retirement Account Hacked in T-Mobile SIM Swap: Suit

A Tampa doctor’s T-Mobile account was improperly transferred to another individual who used the doctor's identity to attempt to buy fraudulent prescriptions of controlled substances, tried to transfer $100,000 from her retirement account and obtained money via a financial services platform, alleged Pina Panchal's negligence complaint Wednesday (docket 8:24-cv-00456) in U.S. District Court for Middle Florida in Tampa.

The action arises out of T-Mobile’s “failure to protect” its customers' sensitive personal and financial information and its “its negligent hiring and supervision of T-Mobile employees who were responsible for safeguarding that information,” said the complaint. T-Mobile violated laws that “expressly protect the information of wireless carrier customers,” it said.

As a result of T-Mobile’s “gross negligence,” the identity of Panchal, a physician who owns Aesthetics Lab in Tampa, Florida, “was stolen,” said the complaint. Panchal was “targeted pre-meditatively” on April 26 when hackers set up an account with RXNT, an electronic healthcare record system. RXNT has a rigorous multistep authentication process that couldn’t have been approved without the hacker gaining access to her T-Mobile number, it said.

On May 24, unidentified perpetrators “took action to victimize” Panchal “through and with the assistance of her wireless carrier,” T-Mobile, the complaint said. By gaining access to Panchal’s phone number, the hackers contacted T-Mobile pretending to be her and ported out her personal phone number, without her authorization, to H2O Wireless through a T-Mobile representative employed at a company store in Jacksonville, it said.

T-Mobile swapped Panchal’s SIM card and transferred control of her phone number to a device under the control of a hacker who “immediately took control of Dr. Panchal’s phone, accessed multiple accounts, and personal and financial information,” the complaint said. The unknown party accessed her medical credentials, using access provided by T-Mobile to bypass two-factor authentication, it said. They changed her passwords, removed her phone access and functionality, sent nationwide fraudulent prescription requests and attempted to extort her friends “to coax thousands of dollars from them,” it said.

On May 25, Panchal’s retirement account logins and access had been changed to the hacker’s control due to the two-step verification belonging to her stolen wireless number; on May 27, pharmacies in Florida, New York and Washington began to contact Panchal regarding narcotics prescriptions written using her credentials, the complaint said.

Panchal immediately contacted T-Mobile and spoke with representatives, including members of the carrier’s security team, about the improper use of her phone number, the complaint said. Company representatives confirmed T-Mobile permitted an unauthorized port fraud and that it would take steps to avoid future SIM swap occurrences, the complaint said. But T-Mobile “took no action,” leading Panchal to contact T-Mobile over 50 times May 24-31 without success, it said. A July 6 letter from T-Mobile to Panchal confirmed what she already knew: Her SIM card was reassigned without authorization, said the complaint.

Because Panchal is a medical doctor who uses her phone in her practice, and has reporting and notification requirements for maintaining her license and any associated misuse, she had to respond to over 50 attempts of more than 700 “high-dosage fraudulent prescription refills” from clinics and providers in numerous states, including Florida, New York, and Washington, the complaint said.

Panchal’s retirement accounts were hacked, her personal information was used to request cash app payments from family and friends and two additional lines were added to her account, the complaint said. The doctor missed clinic hours during the resulting investigation, resulting in loss of work and profit, it said. She was unable to use her phone for over a week and her ability to prescribe medications “was paused during the federal investigation of this matter,” it said.

T-Mobile “failed to implement and/or practice policies and procedures to sufficiently protect [Panchal’s] information, it failed to train and supervise its employees, who repeatedly provided unauthorized access to thieves, and it failed to take corrective action in response” to the unauthorized access, “as is clear from the repeated and successive hacking of Dr. Panchal’s phone with the assistance of T- Mobile employees,” it said. Due to the SIM swap’s impact on her business, medical license, financial loss and “repeated information attacks,” Panchal has experienced “emotional distress,” it said.

The lawsuit alleges violations of the Communications Act and the Florida Deceptive and Unfair Trade Practices Act, negligence and gross negligence, negligent hiring, retention and supervision; and negligent infliction of emotional distress. Panchal seeks compensatory, punitive and statutory damages; attorneys’ fees and costs; and prejudgment interest.