Aveanna Healthcare, LLC, a Georgia-based home health and hospice care company, filed a consent judgment with the Massachusetts Attorney General’s Office (the AG’s office) on November 3, 2022, agreeing to pay $425,000 to allegations to clarify that its security measures were insufficient to protect personal data of its patients and employees.
Aveanna provides home health care for children and adults in 33 states and has seven offices in Massachusetts. The AG’s office claimed hackers began targeting Aveanna with phishing emails in July 2019. As of August 2019, over 600 emails had been sent, including one that appeared to be from Aveanna’s president. The e-mails were searched for user data, money and sensitive information. Employee responses to these emails led to hackers gaining access to some parts of Aveanna’s computer network. The hackers may have accessed Social Security numbers, driver’s license numbers, financial account numbers, and sensitive health information such as diagnoses, medications, and treatment records for approximately 4,000 Massachusetts residents, including Aveanna patients and employees. The hackers also attempted to change employees’ direct pay information in Aveanna’s HR system.
According to the allegations, Aveanna was aware of weaknesses in its cybersecurity measures but did not improve them before the phishing attacks emerged. Alleged failings included inadequate employee training against phishing attacks and failure to require multi-factor authentication. In addition, the AG’s office alleged that Aveanna’s security program did not meet standards for the protection of personally identifiable information under the Massachusetts Data Security Regulations or federal HIPAA regulations.
In addition to the financial settlement, Aveanna agreed to develop and implement a security program using multi-factor authentication, anti-phishing technology and other measures to protect against security breaches. The approving verdict requires that Aveanna assess compliance with the Settlement and the Massachusetts Data Security Regulations annually for four years. In addition, Aveanna needs to train its employees on data security and keep them updated on security threats. Aveanna provided breach victims with free credit monitoring for two years as a result of the incident.
A copy of the consent judgment is available here and the complaint is available here.