A Chittenden County primary care practice is suing the Bank of Burlington, claiming the financial institution failed to stop a fraudster from siphoning $270,000 out of its checking account.
The lawsuit, filed in state court this week, says the local lender should have grown suspicious when an account held by Evergreen Family Health started making large transfers to newly linked accounts in rapid succession. The practice wants the bank to cover the losses under a fraud protection package it sold to business clients.
Instead, the suit claims, bank executives blamed the theft on Evergreen and said they had no intention of reimbursing the funds.
It is unclear what the losses might mean for Evergreen, which employs nearly two dozen health care providers across three offices in Williston and Essex. But the allegations could hurt the reputation of a nascent bank that specifically caters to local businesses. Attorneys for both parties declined comment.
The Bank of Burlington was established in 2022 and became the only business-to-business lender in Vermont. It was founded by a host of well-known names in business, including former Wall Street exec Bruce Lisman and Burlington landlord Bill Bissonette, who now sit on the board of directors.
Evergreen Family Health chose the lender when searching for a new bank in 2024 because it wanted to support a fellow local business, according to the lawsuit. “Evergreen also was persuaded by the Bank’s apparent commitment to fraud protection,” the complaint reads.
Evergreen deposited $250,000 into its new account in January 2024 and opted for a plan with the highest level of fraud protection. The practice conducted hundreds of transactions over the next year, according to the suit. Most were deposits, with the rare withdrawal largely confined to monthly transfers to another Evergreen account.
Vermont Business Leaders Plan to Establish a Bank
Vermont Business Leaders Plan to Establish a Bank
By Anne Wallace Allen
Off Message
But on January 14, 2025, an unknown person accessed Evergreen’s account using information gleaned from a compromised staff email account. Over the next 24 hours, that person initiated 11 same-day transfers to 11 different accounts, wiping Evergreen’s account clean, the lawsuit says. Two additional transfers were rejected for insufficient funds.
The transfers used the Automated Clearing House, or ACH, a common payment system that electronically sends money between banks.
The bank sent Evergreen’s controller, Katrina Payea, an alert on January 17, three days after the first fraudulent transfer, notifying her that the practice’s account had been overdrawn.
Shocked, Payea logged on and saw the unauthorized transfers. She immediately notified the bank and was told the transfers could be reversed because they were identified quickly enough, according to the complaint. But a week later, the bank told Evergreen that the money was gone.
In late January, Payea reported the fraud to the Federal Bureau of Investigation. She learned that the bank, without her knowledge, had already filed a report that was “rife with inaccuracies, mischaracterizations, and objectively false statements,” the lawsuit says. It claimed, for instance, that Evergreen failed to notify the bank about the fraud, even though it had a full week earlier.
The person accessed the account from an out-of-state IP address that the practice had never used before, registered a new device and changed the account credentials before quickly carrying out transfers to newly linked accounts.
“These actions were dramatically inconsistent with Evergreen’s history of authorized activity and transactions,” the complaint says.
The lawsuit accuses the bank of negligence for its failure to recognize and prevent the theft as it was happening. Any bank with reasonable security systems could have noticed something suspicious was going on leading up to the fraud, the suit says.
But in a meeting with Evergreen’s management team, bank executives insisted that they had “no responsibility, obligation or capability” to identify the suspicious activity, the lawsuit claims.
The lawsuit also accuses the bank of breaching an agreement that states Evergreen would only be liable for up to $500 in the event of fraudulent withdrawals, as long as the company informed the bank within two business days.
The medical practice had also created a security protocol under which any Automated Clearing House transfers that did not meet a certain criteria were supposed to be flagged for review. That never happened, the suit says.