Menu

News

AG Healey Settles With Aveanna Healthcare over 2019 Data Breach

  • Massachusetts AG Maura Healey reached a settlement with Aveanna Healthcare, LLC to resolve allegations that the home healthcare company violated federal HIPAA regulations, the Massachusetts Data Security Regulations, and other state consumer protection laws when it failed to implement proper data security measures to protect patient and employee personal information in a 2019 data breach.
  • According to the complaint, attackers were able to access systems containing Aveanna patient and employee data through a series of “phishing” emails that targeted Aveanna employees and compromised the company’s network security. As a result, the attackers were able to access the personal information of over 4,000 Massachusetts residents, which potentially included individuals’ social security numbers, driver’s license numbers, financial account numbers, insurance claims information, and medical information such as diagnoses, treatments, and medication.
  • Under the terms of the settlement, Aveanna must pay $425,000 to the Massachusetts AG’s office and develop, implement, and maintain an information security program that includes specific security safeguards such as phishing protection technology, multi-factor authentication, vulnerability management, asset inventory, intrusion detection and prevention systems, among other controls. In addition, Aveanna must continue to train its employees on data security, keep them up to date on security threats, and obtain an annual independent assessment of its compliance with the consent judgment and the Massachusetts Data Security Regulations for a period of four years.