Georgia Healthcare Provider Settles with Massachusetts Attorney General

A home health and hospice care company have agreed to pay a penalty of $425,000 for failing to prevent phishing attacks. The payment, which will be made to the Office of the Attorney General of Massachusetts, is for failing to implement appropriate safeguards to prevent phishing attacks. Avaenna Healthcare, LLC operates in 33 states and is the US’s largest provider of pediatric home care. 

In 2019 the company was subjected to over 600 phishing emails which attempted to trick employees into giving information such as:

  • Credentials
  • Money
  • Other sensitive information

Massachusetts Investigation

The investigation found that multiple employees were tricked into giving their credentials. This meant that attackers were able to access parts of the network containing the protected health information of 166,000 patients, including around 4,000 Massachusetts residents. The patients’ information that was exposed and potentially copied included: 

  • Names
  • Social Security numbers
  • Driver’s license numbers
  • Financial account numbers
  • Health information, such as:
    • Diagnoses
    • Medications
    • Treatment information

Attackers also accessed parts of the HR network and attempted to divert employee payments. 

It was determined that Aveanna Healthcare had failed to implement necessary safeguards to protect against phishing attacks. The company were also aware that its cybersecurity system was insufficient at the time of the attack. Additionally, they did not have sufficient tools in place to adequately defend against phishing attacks. Tools that could have helped in this situation include multi-factor authentication and adequate security awareness training in the workforce. 

Massachusetts Attorney General’s Office deemed that Aveanna Healthcare’s security program had not met the minimum level of security required by either:

  • Protection of Personal Information of Residents of the Commonwealth of Massachusetts; nor
  • HIPAA Security Rule

Penalty and Actions

In addition to the penalty of $425,000, Aveanna Healthcare must also make some changes within the company:

  • Adopt a corrective action plan that requires development, implementation, and maintenance of a security program that includes:
    • Phishing protection technology
    • Multi-factor authentication
    • Other systems designed to detect and address intrusions
  • Provide additional security awareness training to the workforce
    • Including providing regular updates on the latest security threats
  • Undergo independent assessments of its compliance with the consent order
  • Be monitored by the Massachusetts Attorney General for a period of 4 years. 

Complying with the laws of the state that your company is based in isn’t enough. If you collect the data of residents of other states then you must comply with their state’s laws as well. Contact us today to find out how we can make that process simpler.

Previous Post

Google Settlement of $391.5M Over Unlawful Location Tracking

Next Post

DoJ Announces Indictment of Former Hospital Staff

Related Posts

TikTok and Snapchat Urged to Strengthen Parental Controls

The National Association of Attorneys General from 44 US territories have written to TikTok and Snapchat urging for better parental controls.
Read More