Class Action Lawsuit Filed Against Aveanna Healthcare Concerning 2019 Phishing Attack

The healthcare provider Aveanna Healthcare centered in Atlanta, GA is charged with a class action case because of a data breach that happened last summer 2019. It is among the biggest healthcare data breaches recorded this year impacting 166,000 people.

Aveanna Healthcare offers healthcare services to adults and kids in 23 states and is the biggest company offering pediatric home care in the U.S.A. In summer 2019, a couple of email accounts had been breached in a phishing attack. Aveanna Healthcare noticed the breach on August 24, 2019 and promptly secured its email accounts. The inspectors stated that the email account was initially breached on July 9, 2019, enabling the attackers to view protected health information (PHI) for over 6 weeks.

Email messages in the breached accounts held patient details for instance names, health data, financial details, Social Security numbers, passport numbers,  driver’s license numbers, and other sensitive details. It can’t be ascertained if the attackers accessed email messages and data files. There’s no proof obtained that indicates the stealing of patient data in the attack, however the chance that the attackers stole email information before being blocked out of the email accounts could not be eliminated.

The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule necessitates the delivery of notification letters to patients impacted by data breaches concerning the compromise of their PHI without needless delay and not later than 60 days after knowing about a breach. The breached entity should also inform the Department of Health and Human Services’ Office for Civil Rights concerning a breach in 60 days.

Aveanna Healthcare deferred the issuance of breach notification letters to impacted patients until this year. Furthermore, the healthcare provider just sent a breach report to the HHS’ Office for Civil Rights on February 14, 2020, which is over 5 months subsequent to its knowledge of the breach.

About 100 patients impacted by the breach were made part of the lawsuit. They assert that Aveanna Healthcare was unable to deliver prompt communication, and when the communication was subsequently sent, they didn’t mention what types of data were exposed. Aveanna Healthcare patients complained that the personal and healthcare records of patients were retained in a sloppy way thus data held in the provider’s systems were prone to attack.

The lawsuit claims that Aveanna Healthcare was advised about the threat to patient information but didn’t take enough steps to protect patient information. The plaintiffs likewise assert Aveanna Healthcare wasn’t adequately keeping track of computer systems that kept patient information. If systems were properly monitored, it wouldn’t have taken 6 weeks to know about the breach of data.

The plaintiffs state they now have to manage a heightened threat of identity theft and fraud since data thieves now possess their sensitive information. The lawsuit wants nominal and compensatory damages for people impacted by the breach, refund of out-of-pocket expenditures, and injunctive relief.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at