Stacks of $100 and $20 bills are seen.
Aveanna Healthcare will pay $425,000 to Massachusetts for a 2019 data breach. (U.S. Immigration and Customs Enforcement)

Aveanna Healthcare in Georgia agreed to pay Massachusetts $425,000 after that state's attorney general investigation into the home health and hospice provider found that the company’s failure to implement proper security measures led to its phishing-related data breach in 2019.

In addition to the monetary penalty, Aveanna Health entered into a consent judgment that requires the provider to develop, implement, and maintain a security program with specific requirements, including phishing protection tools, multi-factor authentication, and systems to detect and address intrusions. 

The provider is also required to better train its employees on data security, while keeping them informed of security threats. Aveanna is also required to perform an independent compliance assessment each year, in regards to both the consent judgment and the Massachusetts Data Security Regulations.

Massachusetts Attorney General Maura Healey explained the importance of companies employing necessary security measures under the current threat landscape. The security requirements for Aveanna are designed to “ensure compliance with our strong data security laws and take steps necessary to protect its employees and the private data… moving forward.”

The state launched an audit into the company after Aveanna Health disclosed the incident in February 2020, which involved the data of more than 166,077 patients (just 4,000 Massachusetts patients were involved).

First discovered on Aug. 24, 2019, several employee email accounts were hacked over the course of a month. The forensics could not rule out data access or exfiltration. The data exposed in the phishing-related incident included patient names, Social Security numbers, state IDs, medical data, health insurance information, driver’s licenses, financial information, and banking details.

The incident was the 10th largest healthcare data breach reported in 2020.

Aveanna attributed the delay in notifying patients to an account review, which did not conclude until four months later. However, the provider waited yet another two months before reporting the incident.

Investigation findings serve as warning to providers

Currently, the company is defending itself against a lawsuit by more than 100 patients after the release of the breach notice. The lawsuit includes elements brought to light by Massachusetts’ separate investigation: namely, that the incident was caused by inadequate security and a lack of monitoring, as well as issues with the delay in notification.

The state attorney general argues that “Aveanna was aware that its cybersecurity required improvement but had not implemented new changes to improve it by the time the phishing attacks occurred.” 

Among the problems identified by the company itself were a lack of employee training, failure to implement sufficient tools, and not using multi-factor authentication.

The investigation detailed greater issues with its security, explaining that “Aveanna’s security program failed to meet the minimum required safeguards to protect personal information under the Massachusetts Data Security Regulations,” as well as the protected health information standards required by The Health Insurance Portability and Accountability Act.

As noted by the investigation, phishing emails were sent to Aveanna employees over the course of July 2019, which were designed to appear sent from the company’s president.

“The attacks continued into August 2019, by which point more than 600 phishing emails were sent to employees,” the report showed. “Employees’ responses to these emails resulted in hackers obtaining access to portions of Aveanna’s computer network.”

The access also spurred attempts to “defraud employees by logging into Aveanna’s human resources system and altering individual employees’ direct deposit information.”

When noting the absolute volume of phishing attacks deployed against Aveanna employees, these measures would have at least dampened the impact. Providers should take note of the investigation’s findings and take proactive measures, as email hacks are among the most common and the hardest to respond to when it comes to forensics and compliance.

While there may be a long backlog of the Office for Civil Rights investigations, state regulators and the Federal Trade Commission have increased the use of their authority in the last few years to address companies’ failures to deploy effective measures.

The recent New York settlement with EyeMed, its second with the state, detailed what providers can expect moving forward even when healthcare providers avoid an OCR audit.