Aveanna Healthcare Resolves Alleged HIPAA Violations with $425,000 Settlement


Just a few weeks after settling a class action lawsuit over a 2019 data breach that affected 166,077 individuals, Aveanna Healthcare has agreed to a settlement with the Massachusetts Attorney General’s office to resolve allegations that it violated state and federal law by failing to implement reasonable and appropriate cybersecurity measures. The lawsuit included a fund of up to $800,000 to cover claims from the plaintiffs and class members, and the settlement includes a financial penalty of $425,000, which means the legal actions alone could cost the Georgia home healthcare and hospice provider more than $1 million.

The data breach in question stemmed from a phishing attack in 2019 which saw around 600 phishing emails sent to its employees between July and August. Some of the emails were sophisticated and impersonated the CEO of the company and directed the employees to a survey, which required them to disclose their login credentials. Over the two months, more than 50 employees responded to the emails and disclosed their credentials, which allowed the attacker to gain access to their accounts, which contained the sensitive information of its patients. The exposed information included names, payment information, Social Security numbers, driver’s license numbers, passport numbers, and healthcare information. The breach was discovered by Aveanna Healthcare on August 24, 2019. Affected individuals, the HHS’ Office for Civil Rights, and State Attorneys General were notified about the breach in February 2020.

The investigation by the Massachusetts Attorney General identified multiple security failures that are alleged to have contributed to the breach. Massachusetts Attorney General Maura Healey alleged Aveanna Healthcare had not implemented basic cybersecurity protections such as multifactor authentication on email accounts and a security information and event management (SIEM) system on its network, despite these being industry best practices.

Healey’s complaint alleged multiple violations of HIPAA and Massachusetts’ Data Security Regulations, including the failure to conduct an accurate and thorough risk analysis, the failure to implement appropriate security measures to reduce risks and vulnerabilities to ePHI, the failure to regularly review records of information system activity, and the failure to implement an adequate security awareness and training program.

Consent Judgment has Unique Training Conditions

The consent judgement against Aveanna Healthcare requires the company to develop a comprehensive information security program and support the program by implementing multiple technical safeguards and delivering a security awareness and training program. At a minimum, the program must include HIPAA training on policies and procedures to protect the confidentiality, integrity, and availability of PHI, current potential security threats, and phishing susceptibility. All employees have to undergo retraining immediately and refresher training annually.

What is unusual about the training conditions is that the consent judgement states any employee who has not received refresher training within twelve months must have their access to PHI rescinded. In addition, no new hires will be allowed to access PHI until they have completed the security awareness and training program. Aveanna Healthcare will undergo annual independent assessments of its compliance with the consent judgment, and compliance will also be monitored by the Massachusetts AG’s Office for a period of four years.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

In addition, Healey alleged that Aveanna Healthcare was fully aware that its cybersecurity measures were inappropriate, as months before the attack had developed a plan for improving cybersecurity, which included implementing multifactor authentication and a SIEM system. That plan will now need to be accelerated, as both the class action lawsuit and Healey’s complaint require Aveanna Healthcare to develop, implement, and maintain an effective security program. Healey’s complaint demands phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions.

“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said AG Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take the steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/