[BreachExchange] Aveanna Healthcare Faces Lawsuit Over Monthlong Data Breach

Destry Winant destry at riskbasedsecurity.com
Thu Jun 4 10:16:28 EDT 2020


June 03, 2020 - Georgia-based Aveanna Healthcare is facing a
class-action lawsuit filed by more than 100 patients impacted by a
monthlong data breach from 2019. Over 166,000 patients were affected
by the security incident, which breach victims claim was caused by
inadequate security.

In February, the pediatric home health services provider began
notifying patients of a potential data breach caused by a phishing
attack first discovered on August 24, 2019. The investigation found
several employee email accounts were hacked for more than a month
between July 9 and August 24.

Data exfiltration or access could not be ruled out, placing a range of
patient data at risk of compromise, including patient names, Social
Security numbers, state identification, health data, and other
sensitive information.

Dig Deeper

LabCorp Hit with Shareholder Lawsuit Over 2 Separate Data Breaches
UW Medicine Hit with Lawsuit for Breach Impacting 974K Patients
Hackensack Meridian Faces Breach Lawsuit After Ransomware Attack

As noted in the lawsuit, Aveanna waited well-beyond the HIPAA-required
60-day notification rule to begin sending notices to potential
victims. The lawsuit also argues that Aveanna Healthcare inadequately
safeguarded patient data and maintained the private information in a
reckless manner.

Breach victims further claim the provider failed to ensure its vendors
employed reasonable security protocols and technical procedures for
the electronic information systems that house protected patient

“The private information was maintained on Aveanna’s computer network
in a condition vulnerable to cyberattacks, including the infiltration
of certain email accounts containing [patients]’ private information,”
according to the lawsuit.

“In addition, Aveanna and its employees failed to properly monitor the
computer network and systems that housed the private information,” the
lawsuit continued. “Had Aveanna properly monitored the aforementioned
network and systems, it would have discovered the intrusion sooner.”

Lastly, the lawsuit claims Aveanna did not have procedures in place to
regularly review records of information system activity, such as audit
logs, access reports, and security tracking reports. The victims also
argue the provider failed to effectively train its workforce on
securing PHI.

As a result of the breach, the victims argue that their identities are
now at risk of compromise, as well as potential fraud and identity
theft and “must now and in the future closely monitor their financial
accounts, credit reports, tax returns, and similar, otherwise secure
accounts to guard against identity theft.”

The lawsuit is seeking financial remedy for out-of-pocket costs
related to the purchase of credit monitoring services, freezes, and
reports, along with other protective measures against identity theft.
Aveanna would also be required to improve its data security system,
while implementing future annual audits.

Data breach lawsuits have become commonplace in healthcare, given the
pace of breaches – especially seen during the last quarter of 2019.
However, litigation can be drawn-out and is often met with mixed
results given it can be difficult to prove actual harm.

And some recent settlements stress that the provider has not admitted
liability. Rather, they provide victims with financial compensation
for costs incurred by the breach, such as settlements seen with Quest
Diagnostics and Banner Health.

Currently, there are multiple ongoing healthcare breach-related
lawsuits, such as UW Medicine, LifeLabs, Solara Medical Supplies, and
Hackensack Meridian Health, among a host of others.

More information about the BreachExchange mailing list