Healthcare provider Aveanna Healthcare is facing a potential class action lawsuit in relation to a data breach that took place during 2019 which impacted 166,000 patients.
Aveanna Healthcare is a supplier of healthcare services to adults and children in 23 states and is the biggest provider of pediatric home care in the United States. In the summer of 2019, several email accounts were infiltrated in a phishing attack. Aveanna Healthcare first noticed the attack on August 24, 2019 and quickly secured its email accounts. The investigation showed that the first email account was breached on July 9, 2019, giving the hackers access to protected health information for more than six weeks.
Emails in the infiltrated accounts included patient information such as names, health information, financial information, passport numbers, driver’s license numbers, Social Security numbers, and other sensitive data. It was not possible to determine whether emails and files were viewed by the hackers. No proof was found to suggest patient information was taken during the attack, but it was not possible to eliminate the possibility that the hackers exfiltrated email data before they were shut out of the email accounts.
The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule requires patients impacted by data breaches to be notified about the exposure of their PHI without unnecessary delay and no later than 60 days after the discovery of a breach. The Department of Health and Human Services’ Office for Civil Rights must also be alerted about a breach within 60 days.
Aveanna Healthcare delayed sharing breach notifications to patients until this year and reported the breach to the HHS’ Office for Civil Rights on February 14, 2020, more than 5 months after the breach was discovered.
More than 100 patients who had their PHI impacted in the breach have so far been included in the lawsuit. They claim that Aveanna Healthcare failed to issue timely notifications, and when those notifications were eventually issued, they failed to explain what types of information had been impacted. Aveanna Healthcare is thought to have maintained the private personal and healthcare data of patients “in a reckless manner” and information stored in its systems was vulnerable to attack due to this.
The lawsuit states that Aveanna Healthcare was conscious of the fact that patient data was at risk yet failed to take adequate steps to safeguard patient data. The plaintiffs also claim Aveanna Healthcare was not properly monitoring computer systems that included patient data. If those systems were being monitored, it would not have taken six weeks for the data breach to be discovered.
The plaintiffs claim they now face an heightened risk of identity theft and fraud as their sensitive data is now in the possession of data thieves. The legal action seeks nominal and compensatory damages for patients impacted by the breach, reimbursement of out-of-pocket expenses, and injunctive relief.