Getty Images

Aveanna Healthcare Reaches $425K Settlement After Healthcare Data Breach

Aveanna Healthcare agreed to pay $425,000 and adopt new security measures after several phishing-related healthcare data breaches impacted over 4,000 Massachusetts individuals.

Aveanna Healthcare reached a proprosed settlement to resolve a healthcare data breach lawsuit stemming from a 2019 string of phishing attacks that impacted hundreds of thousands of Massachusetts residents, Attorney General Maura Healey announced.

The Massachusetts Attorney General’s office alleged that the Georgia-based home healthcare provider failed to sufficiently safeguard patient data, leading to protected health information (PHI) exposure for more than 4,000 patients and employees.

Currently, Aveanna Healthcare operates in 33 states, with Massachusetts offices located in Brockton, Plymouth, Shrewsbury, Springfield, Waltham, West Springfield, and Worcester.

According to the Attorney General’s office, Aveanna employees began receiving fraudulent “phishing” emails in July 2019, which exploited users into handing over credentials, money, and sensitive information to an unauthorized party.

The information involved in the incident included social security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment records.

Aveanna Healthcare notified impacted individuals of the breach in February 2020 after discovering in August 2019 that certain accounts were hacked.

In one instance, the threat actors sent a phishing email to employees disguised as the Aveanna Healthcare president. Over the course of several weeks, over 600 phishing emails were sent to employees by August 2019.

Responses to these emails led to authorized access to parts of Aveanna Healthcare’s network. Additionally, the threat attempted to access the human resources system and modify individual employees’ direct deposit information.

In response to the incident, Aveanna Healthcare said it offered impacted Massachusetts residents two years of free credit monitoring.

The initial complaint stated that the Georgia-based home health provider “was aware that its cybersecurity required improvement but had not implemented new changes to improve it by the time the phishing attacks occurred.”

Specifically, the attorney general alleged that Aveanna Healthcare did not implement tools or employee training to prevent phishing attacks, and “Aveanna’s security program failed to meet the minimum required safeguards to protect personal information under the Massachusetts Data Security Regulations.”

Additionally, the complaint accused Aveanna of HIPAA noncompliance as the company failed to meet standards for protecting PHI.

“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” AG Healey said in a press release. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and the take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”

The home health provider has denied all wrongdoing and agreed to a settlement. Under the terms of the consent judgment, Aveanna decided to pay the monetary settlement of $425,000 and implement a comprehensive information security program.

In particular, the security program must include phishing protection technology and multi-factor authentication.

Aveanna would also be required to “train its employees on data security, keep them up to date on security threats, and do an annual independent assessment of its compliance with the consent judgment and the Massachusetts Data Security Regulations for a period of four years.”

This data breach also led to a class-action lawsuit of more than 100 patients impacted by a month-long data breach.

As noted in the lawsuit, Aveanna waited well beyond the HIPAA-required 60-day notification rule to begin sending notices to potential victims. The lawsuit also argues that Aveanna Healthcare inadequately safeguarded patient data and carelessly maintained private information.

The lawsuit sought out a financial remedy for out-of-pocket costs related to purchasing credit monitoring services, freezes, and reports, along with other protective measures against identity theft.

Next Steps

Dig Deeper on Cybersecurity strategies