The healthcare provider, Aveanna Healthcare, based in Georgia recently reported the unauthorized access of the email accounts of 11 personnel by a third party, who acquired access to 10,482 patients’ protected health information (PHI). This is Aveanna Healthcare’s second email breach report this year. On March 15, 2024, Aveanna Healthcare submitted to the HHS’ Office for Civil Rights an email breach report involving the PHI of 65,482 patients. That incident was caused by unauthorized access to a staff email account on or about September 22, 2023.
The most recent breach was identified one month after OCR received notification about the prior email breach. Based on the substitute breach notice posted on Aveanna Healthcare’s website, strange activity was noticed in the employee email accounts on April 17, 2024. The healthcare provider took immediate action to stop continuing unauthorized access to the email accounts and investigated the incident to find out the nature and extent of the data breach.
On June 12, 2024, the investigation affirmed that the email accounts stored PHI, such as names, driver’s license numbers/state ID numbers, Social Security numbers, birth dates, health data, diagnosis, treatment details, patient ID numbers, incidental health references, names of provider, medical insurance data, prescription details, Medicaid/Medicare numbers, and treatment cost data. The types of information affected differed from one person to another.
Although patient information was compromised, Aveanna Healthcare stated it did not receive any information about the misuse of the exposed data; nevertheless, as a safety measure, the impacted persons were provided free identity protection services via CyEx. Aveanna Healthcare mentioned on its substitute breach notice that Aveanna is very serious when it comes to the security and confidentiality of personal data in its control. To ensure the protection of patients’ rights under HIPAA, the company is taking extra steps to avoid the same occurrence down the road.
Aveanna has set up a toll-free call center to assist patients with their questions regarding the incident and to deal with related issues. Call center staff are available to give support to victims from Monday to Friday from 9:00 am to 9:00 pm Eastern Time and may be reached at 1.844.707.4507. All impacted persons may be eligible for free identity protection services via CyEx. Those who have yet to receive a breach notification letter must verify their eligibility to enroll in the protection services.