Marianne Kolbasuk McGee reports that Aveanna Healthcare has been sued over a July, 2019 breach that it discovered in August, 2019. The breach was disclosed in February of 2020 as potentially impacting more than 166,000 patients. The incident was one of all-too-many incidents where threat actors gained access to a number of employees’ email accounts, and then the covered entity needed to wade through all of the employee email accounts for information as to which patients had what kinds of protected health information in the email accounts or attachments to emails. And as in all-too-many cases I’ve covered over the past year or more, the process of investigating took much longer than the 60 days from initial discovery, and even then, Aveanna could not determine whether any emails were actually accessed or not.
So now it seems there’s a lawsuit. And from reading the complaint, it does not seem that the named plaintiff has actually claimed concrete injury. How can they, when there was no clear evidence that data were even accessed, much less exfiltrated or misused? Is this another lawsuit based on the hope that because the defendant has deep pockets, they will settle?
Aveanna is certainly a big provider of in-home healthcare services. But unless all breaches are always avoidable, I think this lawsuit will struggle to defeat a challenge to standing. The plaintiff “believes” that their data was stolen and sold, but do not claim to have even a scintilla of evidence to support that “belief.” They use boilerplate language that I’ve seen many times by now to use HIPAA as a standard for what they claim the defendant failed to do, and include a parade of horribles that plaintiffs may suffer, and which they claim are “imminent” harms.
They also claim that notice was not timely, which is the only claim I actually agree with. I understand that it takes time to wade through so many email accounts and emails, but that is something I would like to see OCR investigate and take some relevant enforcement action or provide some guidance about. If you have reason to believe that it could take months to wade through so much data manually, then what is the solution or alternative? Is there software that can automate the process? Would encryption have prevented the problem? Was 2FA or MFA in place that might have prevented the breach? Phishing attacks continue to be a frequent occurrence and hence, should be included in an entity’s risk assessment. Has OCR looked into any entity’s risk assessment to see if it includes phishing and had an appropriate plan other than periodically reminding employees not to fall for phishing attempts or providing occasional exercises or tests? What else is in place?
In the meantime, you can read more about this particular lawsuit on GovInfoSecurity.
The case is Purvis v. Aveanna Healthcare, LLC, Case #: 1:20-cv-02277-LMM. It was filed in the Northern District of Georgia by Teairra Purvis individually, on behalf of her minor child, J.A. and on behalf of all others similarly situated.