November 08, 2022 : A Georgia-established home healthcare and hospice provider will reimburse nearly $500,000 to the state of Massachusetts to finish state litigation connected to a data breach concerning about 170,000 patients. The compensation comes just weeks after Aveanna Healthcare agreed in federal district court putative class action for up to $800,000 in cash revenues and credit monitoring protections.
Both court cases arose from 600 phishing attempts made during the summer of 2019 that cultivated more sophisticated over time. At one point, corporation employees received an email seeming to come from the company president asking for their participation in a survey. An objection from the Massachusetts attorney general states more than 50 employees succumbed to the two-month phishing attack.
The putative class action complaint states phishers got away with patient data, including Social Security numbers, payment attributes, identification numbers from passports and driver’s licenses, diagnoses data, and treatment type (see: Data Breach Lawsuit Filed Against Pediatric Care Provider).
Aveanna, in February 2020, states the Department of Health and Human Services about the incident affecting 166,077 individuals, patients, and employees.
Every single of the settlements requires Aveanna to improve its cybersecurity. Massachusetts and the suggested class action complaint accuse the establishment of not having instituted basic cybersecurity protections, inclusive of multifactor authentication.
“Businesses have an obligation to put the right security measures and systems in place to contain hackers from accessing sensitive data,” Massachusetts Attorney General Maura Healey expressed of her office’s $425,000 settlement with Aveanna.
Her complaint assesses that the company knew its cybersecurity was insufficient, having developed a plan for cybersecurity advancements just months before the phishing attacks. A post-attack examination by the company “acknowledged that its present cybersecurity posture was ‘lacking,'” the complaint also states. Besides noting the lack of multifactor authentication, it said the corporation’s network lacked a SIEM system.
Under the completed class action settlement, affected individuals are each qualified to receive reimbursement of up to $10,000 in costs, including documented, unreimbursed out-of-pocket costs resulting from the security incident, casualties from identity theft and fraud, and up to $250 for time spent remedying problems relating to the breach.
Aveanna also consented to provide five years of identity theft and credit monitoring.
The corporation did not immediately respond to Information Security Media Group’s appeal for comment on Healey’s enforcement action and the class action lawsuit settlement.