A home health and hospice care company have agreed to pay a penalty of $425,000 for failing to prevent phishing attacks. The payment, which will be made to the Office of the Attorney General of Massachusetts, is for failing to implement appropriate safeguards to prevent phishing attacks. Avaenna Healthcare, LLC operates in 33 states and is the US’s largest provider of pediatric home care.
In 2019 the company was subjected to over 600 phishing emails which attempted to trick employees into giving information such as:
- Credentials
- Money
- Other sensitive information
Massachusetts Investigation
The investigation found that multiple employees were tricked into giving their credentials. This meant that attackers were able to access parts of the network containing the protected health information of 166,000 patients, including around 4,000 Massachusetts residents. The patients’ information that was exposed and potentially copied included:
- Names
- Social Security numbers
- Driver’s license numbers
- Financial account numbers
- Health information, such as:
- Diagnoses
- Medications
- Treatment information
Attackers also accessed parts of the HR network and attempted to divert employee payments.
It was determined that Aveanna Healthcare had failed to implement necessary safeguards to protect against phishing attacks. The company were also aware that its cybersecurity system was insufficient at the time of the attack. Additionally, they did not have sufficient tools in place to adequately defend against phishing attacks. Tools that could have helped in this situation include multi-factor authentication and adequate security awareness training in the workforce.
Massachusetts Attorney General’s Office deemed that Aveanna Healthcare’s security program had not met the minimum level of security required by either:
- Protection of Personal Information of Residents of the Commonwealth of Massachusetts; nor
- HIPAA Security Rule
Penalty and Actions
In addition to the penalty of $425,000, Aveanna Healthcare must also make some changes within the company:
- Adopt a corrective action plan that requires development, implementation, and maintenance of a security program that includes:
- Phishing protection technology
- Multi-factor authentication
- Other systems designed to detect and address intrusions
- Provide additional security awareness training to the workforce
- Including providing regular updates on the latest security threats
- Undergo independent assessments of its compliance with the consent order
- Be monitored by the Massachusetts Attorney General for a period of 4 years.
Complying with the laws of the state that your company is based in isn’t enough. If you collect the data of residents of other states then you must comply with their state’s laws as well. Contact us today to find out how we can make that process simpler.