Fraud Management & Cybercrime , HIPAA/HITECH , Social Engineering
Aveanna Healthcare Data Breach Could Cost Firm More Than $1M
Phishing Onslaught Caused Breach Affecting 166,000 Individuals NationwideA Georgia-based home healthcare and hospice provider will pay nearly $500,000 to the state of Massachusetts to end state litigation tied to a data breach affecting nearly 170,000 patients.
See Also: HIPAA-Compliant Email: 5 Steps Healthcare Needs to Take
The settlement comes just weeks after Aveanna Healthcare settled in federal district court a putative class action for up to $800,000 in cash payments and credit monitoring protections.
Both court cases stem from a stream of 600 phishing attempts made during summer 2019 that grew more sophisticated over time. At one point, company employees received an email appearing to come from the company president asking for their participation in a survey. A complaint from the Massachusetts attorney general says more than 50 employees succumbed to the two-month phishing onslaught.
The putative class action complaint says phishers got away with patient data including Social Security numbers, payment details, identification numbers from passports and driver's licenses, diagnoses information and treatment type (see: Data Breach Lawsuit Filed Against Pediatric Care Provider).
Aveanna in February 2020 reported the incident to the Department of Health and Human Services as affecting 166,077 individuals, patients and employees.
Each of the settlements requires Aveanna to improve its cybersecurity. Both the Massachusetts and the proposed class action complaint accuse the company of not having instituted basic cybersecurity protections including multifactor authentication.
"Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information," Massachusetts Attorney General Maura Healey said of her office's $425,000 settlement with Aveanna.
Her complaint charges that the company knew its cybersecurity was deficient, having just months before the phishing attacks developed a plan for cybersecurity improvements. A post-attack review by the company "acknowledged that its current cybersecurity posture was 'lacking,'" the complaint also says. Besides noting the lack of multifactor authentication, it said the company's network lacked a SIEM system.
Under the finalized class action settlement, affected individuals are each eligible to receive reimbursement of up to $10,000 in expenses, including documented, unreimbursed out-of-pocket expenses resulting from the security incident, losses from identity theft and fraud, and up to $250 for time spent remedying issues relating to the breach.
Aveanna also agreed to provide five years of identity theft and credit monitoring.
The company did not immediately respond to Information Security Media Group's request for comment on Healey's enforcement action and the class action lawsuit settlement.