Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty

By | November 4, 2022

Aveanna Healthcare has agreed to pay a $425,000 financial penalty to the Office of the Attorney General of Massachusetts for failing to implement appropriate safeguards to prevent phishing attacks, in violation of state and federal laws.

Aveanna Healthcare operates in 33 states and is the nation’s largest provider of pediatric home care. In the summer of 2019, Aveanna Healthcare was targeted in a phishing campaign that saw more than 600 phishing emails sent to its employees. The phishing emails attempted to trick the recipients into providing credentials, money, or other sensitive information. The first email account was breached in July 2019, with the attacks continuing throughout the summer. Aveanna Healthcare discovered the breach on August 24, 2019.

The forensic investigation revealed multiple employees had been tricked into disclosing their account credentials, which provided the attackers with access to parts of the network that contained the protected health information (PHI) of 166,000 patients, including the PHI of approximately 4,000 Massachusetts residents. The patient information exposed and potentially copied included names, Social Security numbers, driver’s license numbers, financial account numbers, and health information such as diagnoses, medications, and treatment information. The threat actors also logged into the human resources system and attempted to change the direct deposit information of employees to divert payments.

The Massachusetts AG’s Office launched an investigation into the phishing attacks and determined that Aveanna Healthcare had failed to implement appropriate safeguards to protect against phishing attacks. The AG’s Office alleged Aveanna was aware that its cybersecurity program was insufficient at the time of the phishing attacks and that it did not have sufficient tools in place to adequately defend against phishing attacks, such as multifactor authentication and sufficient security awareness training for its workforce. The Massachusetts AG’s Office determined that Aveanna’s security program had not met the minimum level of security required by the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts nor the minimum standards for security demanded by the HIPAA Security Rule.

The consent judgment requires Aveanna to pay a financial penalty of $425,000 to the Massachusetts AG’s office to resolve the violations, and adopt a corrective action plan that requires Aveanna to develop, implement, and maintain a security program that includes phishing protection technology, multi-factor authentication, and other systems designed to detect and address intrusions. Aveanna must also provide additional security awareness training to the workforce, including providing regular updates on the latest security threats. Aveanna is required to undergo annual independent assessments of its compliance with the consent order and will be monitored by the Massachusetts AG’s Office for a period of four years.

“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information,” said Massachusetts Attorney General Maura Healey. “As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”

Aveanna Healthcare is also facing a class action lawsuit over the exposure of patient data. The lawsuit alleges the failure to implement appropriate security measures also takes issue with the length of time it took Aveanna to announce the data breach – 5 months after the breach was detected.

The post Georgia Home Health Company Settles Phishing Investigation and Pays $425,000 Penalty appeared first on HIPAA Journal.