Georgia Home Health and Hospice Provider to Pay $425,000 to Resolve Allegations of Inadequate Computer Security in Connection with Data Breach

Doug Comin
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

Aveanna Healthcare, LLC, a Georgia-based home health and hospice care company, entered a consent judgment with the Massachusetts Attorney General’s Office (the AG's Office) on November 3, 2022, agreeing to pay $425,000 to resolve allegations that its security measures were inadequate to protect personal information of its patients and employees.

Aveanna provides pediatric and adult home health care in thirty-three states and has seven offices in Massachusetts. The AG’s Office alleged that hackers began targeting Aveanna with phishing emails in July 2019. By August 2019, over 600 emails had been sent, including one that appeared as though it came from Aveanna’s president. The emails sought user credentials, money, and sensitive information. Employees’ responses to those emails resulted in hackers accessing some portions of Aveanna’s computer network. The hackers may have accessed social security numbers, driver’s license numbers, financial account numbers, and sensitive health information like diagnoses, medications, and treatment records for some 4,000 Massachusetts residents, including Aveanna’s patients and employees. The hackers also attempted to change employees’ direct deposit information in Aveanna’s human resources system.

According to the allegations, Aveanna was aware of weaknesses in its cybersecurity measures but failed to improve them before the phishing attacks occurred. The alleged failures included not providing adequate employee training against phishing attacks and not requiring multi-factor authentication. Additionally, the AG’s Office alleged that Aveanna’s security program did not meet standards for safeguarding personal information under the Massachusetts Data Security Regulations or federal HIPAA regulations.

In addition to the financial settlement, Aveanna agreed to develop and implement a security program with multi-factor authentication, anti-phishing technology, and other measures to protect against breaches. The consent judgment requires Aveanna to annually assess its compliance with the settlement and the Massachusetts Data Security Regulations for four years. It also requires Aveanna to train its employees on data security and update them on security threats. Aveanna provided victims of the breach with two years of free credit monitoring as a result of the incident.

A copy of the consent judgment is available here and the complaint is available here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide