In July 2019, members of the workforce at Aveanna Healthcare were targeted with more than 600 phishing emails from an unknown source, attempting to trick the recipients into disclosing login credentials and other sensitive information. Many of the phishing emails were successful – enabling hackers to access the Protected Health Information (PHI) of 166,077 clients, including approximately 4,000 residents of Massachusetts.
The data breach was discovered by Aveanna Healthcare on August 24, 2019, but not notified to HHS’ Office for Civil Rights until February 2020. Despite the number of records involved and the delay in notification, OCR accepted the pediatric home care provider’s assurances that measures were being implemented to strengthen its technical safeguards and reduce its workforce’s susceptibility to phishing emails.
However, the Office of the Massachusetts Attorney General was not so accepting of the pediatric home care provider’s assurances, and – exercising its HITECH Act rights to investigate potential violations of HIPAA – determined that Aveanna Healthcare was aware that its security systems were inadequate prior to the phishing attacks, but failed to implement appropriate measures or train its workforce to resist the attacks.
Consent Judgement includes Phishing Training Conditions
Having found that Aveanna Healthcare’s security program did not meet the minimum HIPAA compliance requirements or the Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts (201 CMR 17.00), the Office of the Massachusetts Attorney General brough a civil action against Aveanna Healthcare which was settled for $425,000 without an admission of liability or culpability.
As part of the consent judgement, Aveanna Healthcare must comply with a corrective action plan that requires the company to reduce workforce susceptibility to phishing via two-factor authentication and security awareness training. Training must be provided to all members of the workforce within sixty days and annually thereafter. Any workforce member that does not attest to having received phishing training is to have their access to PHI rescinded.
The corrective action plan will be in force for a minimum of four years, during which time Aveanna Healthcare will undergo annual assessments of its compliance with the consent judgement. If any violation of the consent agreement is not cured within 90 days of being provided notice of the violation, Aveanna Healthcare may face further civil monetary penalties or an extension of the corrective action plan.
