Just a few weeks after settling a class action lawsuit over a 2019 data breach that affected 166,077 individuals, Aveanna Healthcare has agreed to a settlement with the Massachusetts Attorney General’s office to resolve allegations that it violated state and federal law by failing to implement reasonable and appropriate cybersecurity measures. The lawsuit included a fund of up to $800,000 to cover claims from the plaintiffs and class members, and the settlement includes a financial penalty of $425,000, which means the legal actions alone could cost the Georgia home healthcare and hospice provider more than $1 million.
The data breach in question stemmed from a phishing attack in 2019 which saw around 600 phishing emails sent to its employees between July and August. Some of the emails were sophisticated and impersonated the CEO of the company and directed the employees to a survey, which required them to disclose their login credentials. Over the two months, more than 50 employees responded to the emails and disclosed their credentials, which allowed the attacker to gain access to their accounts, which contained the sensitive information of its patients. The exposed information included names, payment information, Social Security numbers, driver’s license numbers, passport numbers, and healthcare information. The breach was discovered by Aveanna Healthcare on August 24, 2019. Affected individuals, the HHS’ Office for Civil Rights, and State Attorneys General were notified about the breach in February 2020.
The investigation by the Massachusetts Attorney General identified multiple security failures that are alleged to have contributed to the breach. Massachusetts Attorney General Maura Healey alleged Aveanna Healthcare had not implemented basic cybersecurity protections such as multifactor authentication on email accounts and a security information and event management (SIEM) system on its network, despite these being industry best practices.
Healey’s complaint alleged multiple violations of HIPAA, including the failure to conduct an accurate and thorough risk analysis, the failure to implement appropriate security measures to reduce risks and vulnerabilities to ePHI, the failure to regularly review records of information system activity, and the failure to implement an adequate security awareness and training program, along with multiple violations of the Massachusetts Data Security Regulations.
Healey alleged that Aveanna Healthcare was fully aware that its cybersecurity measures were inappropriate, as months before the attack had developed a plan for improving cybersecurity, which included implementing multifactor authentication and a SIEM system. That plan will now need to be accelerated, as both the class action lawsuit and Healey’s complaint require Aveanna Healthcare to develop, implement, and maintain an effective security program. Healey’s complaint demands phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. Aveanna Healthcare must also implement a security awareness training program for employees on data security, regular updates on the latest security threats, and annual independent assessments of compliance with the consent judgment.
“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said AG Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take the steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”