The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty

Posted By on Nov 4, 2022

Aveanna Healthcare has agreed to pay a $425,000 financial penalty to the Office of the Attorney General of Massachusetts for failing to implement appropriate safeguards to prevent phishing attacks, in violation of state and federal laws.

Aveanna Healthcare operates in 33 states and is the nation’s largest provider of pediatric home care. In the summer of 2019, Aveanna Healthcare was targeted in a phishing campaign that saw more than 600 phishing emails sent to its employees. The phishing emails attempted to trick the recipients into providing credentials, money, or other sensitive information. The first email account was breached in July 2019, with the attacks continuing throughout the summer. Aveanna Healthcare discovered the breach on August 24, 2019.

The forensic investigation revealed multiple employees had been tricked into disclosing their account credentials, which provided the attackers with access to parts of the network that contained the protected health information (PHI) of 166,000 patients, including the PHI of approximately 4,000 Massachusetts residents. The patient information exposed and potentially copied included names, Social Security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment information. The threat actors also logged into the human resources system and attempted to change the direct deposit information of employees to divert payments.

The Massachusetts AG’s Office launched an investigation into the phishing attacks and determined that Aveanna Healthcare had failed to implement appropriate safeguards to protect against phishing attacks. The AG’s Office alleged Aveanna was aware that its cybersecurity program was insufficient at the time of the phishing attacks and that it did not have sufficient tools in place to adequately defend against phishing attacks, such as multifactor authentication and sufficient security awareness training for its workforce. The Massachusetts AG’s Office determined that Aveanna’s security program had not met the minimum level of security required by the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts nor the minimum standards for security demanded by the HIPAA Security Rule.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Consent Judgment has Strict Training Requirements

The consent judgment requires Aveanna to pay a financial penalty of $425,000 to the Massachusetts AG’s office to resolve the violations, and adopt a corrective action plan that requires Aveanna to develop, implement, and maintain a security program that includes phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. Aveanna must also provide additional security awareness training to the workforce.

The training requirements include annual security awareness training on Aveanna’s information security program with particular focus on susceptibility to phishing attacks. Any member of the workforce that has not attested to receiving security training within a twelve month period must be prevented from having access to Protected Health Information. Aveanna is required to undergo annual independent assessments of its compliance with the consent judgment and will be monitored by the Massachusetts AG’s Office for a period of four years.

“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said Massachusetts Attorney General Maura Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”

Aveanna Healthcare is also facing a class action lawsuit over the exposure of patient data. The lawsuit alleges the failure to implement appropriate security measures also takes issue with the length of time it took Aveanna to announce the data breach – 5 months after the breach was detected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist