Patients have filed a lawsuit against Aveanna Healthcare over a monthlong data breach, alleging the provider lacked adequate security and failed to provide timely notice, among other claims.
Georgia-based Aveanna Healthcare is facing a class-action lawsuit filed by more than 100 patients impacted by a monthlong data breach from 2019. Over 166,000 patients were affected by the security incident, which breach victims claim was caused by inadequate security.
In February, the pediatric home health services provider began notifying patients of a potential data breach caused by a phishing attack first discovered on August 24, 2019. The investigation found several employee email accounts were hacked for more than a month between July 9 and August 24.
Data exfiltration or access could not be ruled out, placing a range of patient data at risk of compromise, including patient names, Social Security numbers, state identification, health data, and other sensitive information.
As noted in the lawsuit, Aveanna waited well-beyond the HIPAA-required 60-day notification rule to begin sending notices to potential victims. The lawsuit also argues that Aveanna Healthcare inadequately safeguarded patient data and maintained the private information in a reckless manner.
Breach victims further claim the provider failed to ensure its vendors employed reasonable security protocols and technical procedures for the electronic information systems that house protected patient information.
“The private information was maintained on Aveanna’s computer network in a condition vulnerable to cyberattacks, including the infiltration of certain email accounts containing [patients]’ private information,” according to the lawsuit.
“In addition, Aveanna and its employees failed to properly monitor the computer network and systems that housed the private information,” the lawsuit continued. “Had Aveanna properly monitored the aforementioned network and systems, it would have discovered the intrusion sooner.”
Lastly, the lawsuit claims Aveanna did not have procedures in place to regularly review records of information system activity, such as audit logs, access reports, and security tracking reports. The victims also argue the provider failed to effectively train its workforce on securing PHI.
As a result of the breach, the victims argue that their identities are now at risk of compromise, as well as potential fraud and identity theft and “must now and in the future closely monitor their financial accounts, credit reports, tax returns, and similar, otherwise secure accounts to guard against identity theft.”
The lawsuit is seeking financial remedy for out-of-pocket costs related to the purchase of credit monitoring services, freezes, and reports, along with other protective measures against identity theft. Aveanna would also be required to improve its data security system, while implementing future annual audits.
Data breach lawsuits have become commonplace in healthcare, given the pace of breaches – especially seen during the last quarter of 2019. However, litigation can be drawn-out and is often met with mixed results given it can be difficult to prove actual harm.
And some recent settlements stress that the provider has not admitted liability. Rather, they provide victims with financial compensation for costs incurred by the breach, such as settlements seen with Quest Diagnostics and Banner Health.