Aveanna Healthcare Facing Class Action Lawsuit Over 2019 Phishing Attack

The Atlanta, GA-based healthcare provider Aveanna Healthcare is facing a class action lawsuit over a data breach that occurred in the summer of 2019. Affecting 166,000 patients, it is one of the largest healthcare data breaches to be reported this year.

Aveanna Healthcare provides healthcare services to adults and children in 23 states and is the largest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were compromised in a phishing attack. Aveanna Healthcare discovered the attack on August 24, 2019 and immediately secured its email accounts. The investigation revealed the first email account was breached on July 9, 2019, giving the attackers access to protected health information for more than 6 weeks.

Emails in the compromised accounts contained patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the attackers. No evidence was found to suggest  patient information was stolen in the attack, but it was not possible to rule out the possibility that the attackers exfiltrated email data before they were shut out of the email accounts.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires patients affected by data breaches to be notified about the exposure of their PHI without unnecessary delay and no later than 60 days after the discovery of a breach. The Department of Health and Human Services’ Office for Civil Rights must also be notified about a breach within 60 days.

Aveanna Healthcare delayed issuing breach notifications to patients until this year and reported the breach to the HHS’ Office for Civil Rights on February 14, 2020, more than 5 months after the breach was discovered.

More than 100 patients affected by the breach have so far been included in the lawsuit. They allege that Aveanna Healthcare failed to issue timely notifications, and when those notifications were eventually sent, they failed to explain what types of information had been compromised. Aveanna Healthcare is alleged to have maintained the private personal and healthcare data of patients “in a reckless manner” and information stored in its systems was vulnerable to attack as a result.

The lawsuit states that Aveanna Healthcare was aware that patient data was at risk yet failed to take adequate steps to secure patient data. The plaintiffs also allege Aveanna Healthcare was not properly monitoring computer systems that contained patient data. If those systems were being monitored, it would not have taken 6 weeks for the data breach to be identified.

The plaintiffs claim they now face an elevated risk of identity theft and fraud as their sensitive data is now in the hands of data thieves. The lawsuit seeks nominal and compensatory damages for patients affected by the breach, reimbursement of out-of-pocket expenses, and injunctive relief.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.