We read this morning that Aveanna Healthcare of Georgia is facing a class action lawsuit after failing to timely report a 2019 ePHI breach affecting more than 166,000 patients. The source of the breach was a phishing attack that compromised email accounts over the period of a month. Among other allegations, Aveanna reportedly failed to report the breach as required by the HIPAA Breach Notification Rule, and failed to monitor its network, employ technical protocols, follow reasonable technical procedures to protect ePHI and review system activity, as required by the Security Rule. What we see here is the aftermath of a series of (bad) business decisions. Breaches don't just happen and Aveanna is going to probably pay exponentially more in court costs and after-the-fact security measures than they would have to just run a program that factored risk, security and compliance.
We also read this morning that one of our long partners has discontinued our relationship, following a quick series of retirements or new opportunities from their legacy CEO, finance director, HIPAA Security Officer and information services manager. Their new replacements have decided that their information enterprise is secure enough and that their financial restraints too binding. Suffice to say that while their predecessors made a HUGE improvement to their HIPAA program over the past three years, this company is still working to implement some of the key security controls recommended to prevent themselves from being the next Aveanna (although notably on a much smaller scale). So politely, we believe that the new team really doesn't understand their requirements nor their actual security state.
We don't know why healthcare leaders continue to endanger their clients' ePHI and frankly, their business reputation and profitability. Every week it seems that a new class action lawsuit is announced. Every week new names are added to HHS' Wall of Shame. It's really startling to read the "before" and "after" pictures of two companies on the same path in the same morning. We also don't know why HIPAA remains so elusive. While we LOVE working with our clients and even people that we don't end up performing projects with, it's amazing how the masses still don't know HIPAA requirements - both at the tactical level (e.g. a compliance officer) and at the strategic level (e.g. the C-suite).
Of course, we wish both companies well and hope they learn to protect their ePHI.
Stay (HIPAA) safe,