Aveanna Healthcare Breach Affected More Than 166,000
A lawsuit seeking class action status has been filedd against Atlanta-based Aveanna Healthcare in the wake of a 2019 data breach at the pediatric home healthcare provider that affected more than 166,000 individuals.
The breach, reported to the Department of Health and Human Services on Feb. 14, is the fifth largest added to the HHS HIPAA Breach Reporting Tool website so far this year (see: Health Data Breach Tally Spikes in Recent Weeks).
Commonly called the "wall of shame," the HHS Office for Civil Rights website lists health data breaches affecting 500 or more individuals.
In a Feb. 18, 2020 breach notification statement, Aveanna Healthcare said it became aware of suspicious activity relating to a number of its employee email accounts on Aug. 24, 2019.
"We took steps to secure the email accounts and began working with outside computer forensics specialists to determine the nature and scope of the activity," Aveanna said in its notification.
"The investigation determined that an unknown intruder accessed certain employee email accounts between July 9, 2019 and August 24, 2019. Unfortunately, the investigation did not reveal if any email or attachment was actually accessed or viewed."
The lawsuit filed Thursday in a Georgia federal court says that Aveanna is the nation's largest provider of pediatric home care, offering services - including private duty nursing, therapy, autism services and nutrition - in 23 states. The company also offers a variety of adult healthcare services, such as in-home nursing.
The complaint does not indicate how many of the more than 166,000 individuals impacted by the incident are minors, and Aveanna Healthcare did not respond to an Information Security Media Group inquiry on the number of pediatric patients affected by the breach.
The lawsuit says information compromised in the data breach includes Social Security numbers, dates of birth, bank account and credit card details, passport numbers, driver's license numbers, medical record numbers, patient account numbers, diagnosis information and treatment type.
The lawsuit alleges that Aveanna failed to provide timely and adequate notice to those affected by the breach that private information had been subject to the unauthorized access of an unknown third party. It says the practice did not specify what private Information was inappropriately accessed. And it alleges the organization maintained the private information "in a reckless manner."
"In particular, the private information was maintained on Aveanna's computer network in a condition vulnerable to cyberattacks, including the infiltration of certain Aveanna email accounts containing plaintiffs' and class members' private information," the lawsuit alleges.
"The mechanism of the cyberattack and potential for improper disclosure of plaintiffs and class members' private information was a known risk to [Aveanna], and thus the defendant was on notice that failing to take steps necessary to secure the private information from those risks left that property in a dangerous condition," the lawsuit states.
In addition, the complaint alleges that Aveanna and its employees "failed to properly monitor" the computer network and systems that housed the breached data. "Had Aveanna properly monitored the network and systems, it would have discovered the intrusion sooner," the lawsuit contends.
Those who had data exposed in the breach are at risk of identity theft because the information is "now in the hands of data thieves," the lawsuit alleges.
The lawsuit seeks nominal damages, compensatory damages, reimbursement of out-of-pocket costs and the cost of identity theft protection, and injunctive relief, "including improvements to Aveanna's data security systems."
An attorney representing plaintiffs in the lawsuit did not immediately respond to an ISMG request for comment on the case.
In its Febuary breach notification statement, Aveanna says it was unaware of any attempted or actual misuse of this impacted information.
In a statement provided to ISMG on Tuesday, an Aveanna spokesman says the lawsuit "is opportunistic and without merit, and Aveanna will vigorously defend itself."
After becoming aware of suspicious activity relating to employee email accounts, Aveanna moved quickly to secure those accounts and worked with forensics specialists to determine the nature and scope of the activity, he says.
"The thorough investigation did not reveal if any email or attachment with personal information was actually accessed or viewed by outside parties," he adds. "Out of an abundance of caution, Aveanna, with assistance from third-party specialists, identified and notified all individuals whose information could have potentially been viewed or acquired. Aveanna also provided notice to all appropriate state and federal regulators and major consumer reporting agencies."
Aveanna is providing all potentially affected individuals with free access to a minimum of 12 months of credit monitoring and identity restoration services.
Data breaches that compromise sensitive information about minors can have long-term consequences, says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C.
"First, a minor victim's background/consumer report is pretty much a blank slate during the victim's minority, and where identity thefts/compromises take place during that period, it may not be until after the victim reaches majority that he or she will need to undertake substantial and most likely very costly measures to 'clean up' financial, medical, and employment records," he notes.
"Second, threat actors might 'age' this information, and wait perhaps years until the victim reaches the age of majority - mulling them into complacency - before initiating a series of identity thefts/compromises and impersonations - financial, medical, employment, and perhaps even create a criminal record, all unbeknownst to the victim."
Another legal expert, however, says that despite the risks to minors whose data was potentially compromised in the Aveanna incident, plaintiffs face an uphill legal battle.
"The Aveanna plaintiffs have a big hurdle. To stay alive in court they have to show their damage claims are real now and not simply speculation about damages they may suffer in the future," says Paul Hales, an independent privacy and security attorney. "That will be the first battle, and it's not clear yet if they can survive.
"It's heartbreaking for young people to find out they have bad credit because their Social Security number was stolen when they were children. However, the possibility, indeed, probability that identity theft will cause a minor harm in the future is just a speculation now."