A home health company based in Georgia has agreed to pay a $425,000 fine to Massachusetts’ Office of the Attorney General for violating state laws that required them to implement safeguards against phishing attacks.
Though it is based in Georgia, Aveanna Healthcare is the United State’s largest provider of pediatric home care and operates in 33 states. The phishing attack occurred in 2019 when over 600 phishing emails were sent to Aveanna employees. The purpose of these emails was to trick the employees into providing sensitive information, including access credentials, to the attackers.
The breach was discovered by Aveanna Healthcare on August 24, 2019, though the first email account was breached in July of that year. Indeed, multiple employees provided their access credentials to the attack, allowing them to access Avenna’s network and databases. These databases contained the PHI of over 166,000 patients, including that of 4,000 residents of Massachusetts.
The attackers attempted to change the direct deposit information of patients to divert funds away from Aveanna. They could also access PHI that included sensitive information about patient treatment, medications, diagnoses, Social Security Numbers, and driver’s license numbers.
After Aveanna announced that the breach had been detected, Massachusetts’ Office of the Attorney General launched an investigation into the circumstances of the attack. The investigators determined that Aveanna had failed to implement the necessary safeguards that would have prevented the PHI breach.
In particular, the Attorney General’s Office alleged that Aveanna knew that its technical security protocols were not sufficient to defend against the attacks. There was no multi-factor authentication in place, and employees were not adequately trained in recognizing phishing emails. The Attorney General’s Office found that the security protocol that was in place did not meet the minimum requirements required by the HIPAA Security Rule and the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts.
As a result of these failings, Aveanna was required to pay a fine of $425,000 to Massachusetts’ Attorney General. They must also adopt a corrective action plan and implement – and maintain – a security program that meets the minimum requirements of the aforementioned laws. This will include using multi-factor authentical, phishing protection technology, and training its workforce in recognizing and handling phishing emails. Aveanna will be monitored by the Office of the Attorney General for four years.
The Massachusetts Attorney General has commented:
“Companies have an obligation to put the right security measures and systems in place to prevent hackers from accessing sensitive information… As a result of this resolution, Aveanna will ensure compliance with our strong data security laws and take steps necessary to protect its employees and the private data of Massachusetts residents moving forward.”
Aveanna is also facing a class action lawsuit for the breach, which also alleges that the 5 months that Aveanna took to announce the breach was in violation of HIPAA.