The healthcare provider Aveanna Healthcare based in Atlanta, GA is facing a class-action lawsuit due to a data breach that took place in the summer of 2019. It is one of the largest healthcare data breaches reported this year affecting 166,000 patients.
Aveanna Healthcare is a provider of healthcare services to grownups and children in 23 states and is the largest service provider of pediatric home care in America. In the summer of 2019, a number of email accounts were exposed in a phishing attack. Aveanna Healthcare found out the attack on August 24, 2019 and quickly protected its email accounts. The investigators confirmed that the email account was first breached on July 9, 2019, allowing the attackers to access protected health information (PHI) for more than 6 weeks.
Emails in the compromised accounts included patient data like names, health information, financial data, passport numbers, Social Security numbers, driver’s license numbers, and other sensitive information. It can’t be confirmed whether the attackers viewed the emails and files. There is no evidence found that suggests the theft of patient information during the attack, but it is possible that the attackers downloaded email data before being shut out of the email accounts.
The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule mandates the sending of a notification to patients affected by data breaches regarding the exposure of their PHI with no unnecessary delay and within 60 days after discovering a breach. The breached entity must also notify the Department of Health and Human Services’ Office for Civil Rights regarding a breach within 60 days.
Aveanna Healthcare postponed issuing breach notifications to affected patients until 2020. Also, the provider only submitted a breach report to the HHS’ Office for Civil Rights on February 14, 2020, which is more than 5 months following its discovery of the breach.
Over 100 patients affected by the breach were involved in the lawsuit. They claim that Aveanna Healthcare did not send timely announcements, and when the announcements were later sent, they did not make clear what types of information were compromised. Aveanna Healthcare patients asserted that the private personal and healthcare information of patients was kept in a careless manner so information kept in the provider’s systems was susceptible to attack.
The lawsuit alleges that Aveanna Healthcare was informed about the risk to patient data yet did not take sufficient steps to safeguard patient data. The plaintiffs additionally claim Aveanna Healthcare was not appropriately checking computer systems that held patient data. If systems were strictly monitored, it would not have taken 6 weeks to identify the data breach.
The plaintiffs assert they now have to deal with an increased risk of identity theft and fraud because data thieves now have their sensitive data. The lawsuit is seeking nominal and compensatory damages for individuals affected by the breach, repayment of out-of-pocket costs, and injunctive relief.