DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Data Breach Lawsuit Filed Against Aveanna Healthcare

Posted on June 3, 2020 by Dissent

Marianne Kolbasuk McGee reports that Aveanna Healthcare has been sued over a July, 2019 breach that it discovered in August, 2019. The breach was disclosed in February of 2020 as potentially impacting more than 166,000 patients. The incident was one of all-too-many incidents where threat actors gained access to a number of employees’ email accounts, and then the covered entity needed to wade through all of the employee email accounts for information as to which patients had what kinds of protected health information in the email accounts or attachments to emails. And as in all-too-many cases I’ve covered over the past year or more, the process of investigating took much longer than the 60 days from initial discovery, and even then, Aveanna could not determine whether any emails were actually accessed or not.

So now it seems there’s a lawsuit. And from reading the complaint, it does not seem that the named plaintiff has actually claimed concrete injury. How can they, when there was no clear evidence that data were even accessed, much less exfiltrated or misused? Is this another lawsuit based on the hope that because the defendant has deep pockets, they will settle?

Aveanna is certainly a big provider of in-home healthcare services. But unless all breaches are always avoidable, I think this lawsuit will struggle to defeat a challenge to standing.  The plaintiff “believes” that their data was stolen and sold, but do not claim to have even a scintilla of evidence to support that “belief.”  They use boilerplate language that I’ve seen many times by now to use HIPAA as a standard for what they claim the defendant failed to do, and include a parade of horribles that plaintiffs may suffer, and which they claim are “imminent” harms.

They also claim that notice was not timely, which is the only claim I actually agree with. I understand that it takes time to wade through so many email accounts and emails, but that is something I would like to see OCR investigate and take some relevant enforcement action or provide some guidance about. If you have reason to believe that it could take months to wade through so much data manually, then what is the solution or alternative?  Is there software that can automate the process? Would encryption have prevented the problem? Was 2FA or MFA in place that might have prevented the breach? Phishing attacks continue to be a frequent occurrence and hence, should be included in an entity’s risk assessment. Has OCR looked into any entity’s risk assessment to see if it includes  phishing and had an appropriate plan other than periodically reminding employees not to fall for phishing attempts or providing occasional exercises or tests? What else is in place?

In the meantime, you can read more about this particular lawsuit on GovInfoSecurity.

The case is Purvis v. Aveanna Healthcare, LLC, Case #: 1:20-cv-02277-LMM. It was filed in the Northern District of Georgia by Teairra Purvis individually, on behalf of her minor child, J.A. and on behalf of all others similarly situated.


Related:

  • PowerSchool commits to strengthened breach measures following engagement with the Privacy Commissioner of Canada
  • Two more entities have folded after ransomware attacks
  • Data breach feared after cyberattack on AMEOS hospitals in Germany
  • Global hack on Microsoft product hits U.S., state agencies, researchers say
  • Michigan ‘ATM jackpotting’: Florida men allegedly forced machines to dispense $107K
  • Premier Health Partners issues a press release about a breach two years ago. Why was this needed now?
Category: HackHealth DataU.S.

Post navigation

← Judge Pushes Back Accused LinkedIn Hacker’s Trial One Last Time Over COVID-19 Concerns
Ransomware gang says it breached one of NASA’s IT contractors →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure
  • Hacker group “Silent Crow” claims responsibility for cyberattack on Russia’s Aeroflot
  • AIIMS ORBO Portal Vulnerability Exposing Sensitive Organ Donor Data Discovered by Researcher
  • Two Data Breaches in Three Years: McKenzie Health
  • Scattered Spider is running a VMware ESXi hacking spree
  • BreachForums — the one that went offline in April — reappears with a new founder/owner
  • Fans React After NASCAR Confirms Ransomware Breach
  • Allianz Life says ‘majority’ of customers’ personal data stolen in cyberattack (1)
  • Infinite Services notifying employees and patients of limited ransomware attack
  • The safe place for women to talk wasn’t so safe: hackers leak 13,000 user photos and IDs from the Tea app

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • White House ordered to restore Medicaid funding to Planned Parenthood clinics
  • California Attorney General Announces $1.55M CCPA Settlement with Healthline.com
  • Canada’s Bill C-2 Opens the Floodgates to U.S. Surveillance
  • Wiretap Suits Pit Old Privacy Laws Against New AI Technology
  • Action against tiny Scottish charity sparks huge ICO row
  • Congress tries to outlaw AI that jacks up prices based on what it knows about you
  • Microsoft’s controversial Recall feature is now blocked by Brave and AdGuard

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report