DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Data Breach Lawsuit Filed Against Aveanna Healthcare

Posted on June 3, 2020 by Dissent

Marianne Kolbasuk McGee reports that Aveanna Healthcare has been sued over a July, 2019 breach that it discovered in August, 2019. The breach was disclosed in February of 2020 as potentially impacting more than 166,000 patients. The incident was one of all-too-many incidents where threat actors gained access to a number of employees’ email accounts, and then the covered entity needed to wade through all of the employee email accounts for information as to which patients had what kinds of protected health information in the email accounts or attachments to emails. And as in all-too-many cases I’ve covered over the past year or more, the process of investigating took much longer than the 60 days from initial discovery, and even then, Aveanna could not determine whether any emails were actually accessed or not.

So now it seems there’s a lawsuit. And from reading the complaint, it does not seem that the named plaintiff has actually claimed concrete injury. How can they, when there was no clear evidence that data were even accessed, much less exfiltrated or misused? Is this another lawsuit based on the hope that because the defendant has deep pockets, they will settle?

Aveanna is certainly a big provider of in-home healthcare services. But unless all breaches are always avoidable, I think this lawsuit will struggle to defeat a challenge to standing.  The plaintiff “believes” that their data was stolen and sold, but do not claim to have even a scintilla of evidence to support that “belief.”  They use boilerplate language that I’ve seen many times by now to use HIPAA as a standard for what they claim the defendant failed to do, and include a parade of horribles that plaintiffs may suffer, and which they claim are “imminent” harms.

They also claim that notice was not timely, which is the only claim I actually agree with. I understand that it takes time to wade through so many email accounts and emails, but that is something I would like to see OCR investigate and take some relevant enforcement action or provide some guidance about. If you have reason to believe that it could take months to wade through so much data manually, then what is the solution or alternative?  Is there software that can automate the process? Would encryption have prevented the problem? Was 2FA or MFA in place that might have prevented the breach? Phishing attacks continue to be a frequent occurrence and hence, should be included in an entity’s risk assessment. Has OCR looked into any entity’s risk assessment to see if it includes  phishing and had an appropriate plan other than periodically reminding employees not to fall for phishing attempts or providing occasional exercises or tests? What else is in place?

In the meantime, you can read more about this particular lawsuit on GovInfoSecurity.

The case is Purvis v. Aveanna Healthcare, LLC, Case #: 1:20-cv-02277-LMM. It was filed in the Northern District of Georgia by Teairra Purvis individually, on behalf of her minor child, J.A. and on behalf of all others similarly situated.

Related posts:

  • Aveanna Healthcare To Pay $425,000 Following Phishing Attacks in 2019 That Impacted Thousands of Massachusetts Residents
Category: HackHealth DataU.S.

Post navigation

← Judge Pushes Back Accused LinkedIn Hacker’s Trial One Last Time Over COVID-19 Concerns
Ransomware gang says it breached one of NASA’s IT contractors →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The data appear fake. (1)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases
  • Multiple lawsuits filed against Doyon Ltd over April 2024 data breach and late notification
  • Chinese hackers suspected in breach of powerful DC law firm
  • Qilin Emerged as The Most Active Group, Exploiting Unpatched Fortinet Vulnerabilities
  • CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’
  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report