November 10, 2022. The Massachusetts Attorney General settled a case against a national home healthcare company for failing to protect the private health information of Massachusetts residents. Under the terms of the settlement, Aveanna Healthcare, LLC (Aveanna) paid $425,000. While Massachusetts has a state False Claims Act, this particular case relates to a healthcare company’s responsibility to protect its patients’ personal health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act allows for State Attorneys General to sue on behalf of state residents for violations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The Massachusetts Attorney General alleged that Aveanna, a Georgia-based pediatric and adult home healthcare provider with seven offices in Massachusetts, had insufficient cybersecurity practices and protocols so as to fall victim to a phishing scam targeting employees. During the summer of 2019, malicious actors breached Aveanna employee email accounts, gaining access to Aveanna systems housing 166,000 patients’ protected health information (PHI), approximately 4,000 of whom were Massachusetts residents.
Allegations further include that the home healthcare company did not train its employees on cybersecurity programs, encourage the use of multi-factor authentication, and was aware its cybersecurity systems were deficient at the time of the phishing attacks. Moreover, the Massachusetts Attorney General alleged the company’s cybersecurity program did not meet the minimum requirements under HIPAA or the Massachusetts Data Security Regulations.
For failing to protect patient information, the home healthcare company is paying Massachusetts a $425,000 settlement, must develop and implement a comprehensive cybersecurity plan, must train its employees on cybersecurity best practices, and must report annually on its compliance with the consent judgment and Massachusetts Data Security Regulations for four years. Aveanna also provided free credit monitoring to affected Massachusetts residents. In 2020, affected individuals filed a class action lawsuit against the home healthcare company for failing to promptly report the breach, as HIPAA requires healthcare companies to notify affected patients within 60 days after the discovery of a breach.
Fraud and scams harm patients, and fraud against government-sponsored healthcare programs harms taxpayers as well. Senator Mark Warner (D-VA) published a whitepaper called “Cybersecurity is Patient Safety,” which discusses policy options to improve cybersecurity practices in the healthcare sector. The whitepaper outlines the extremely high cost data breaches present to the healthcare sector and recommends several paths to motivate healthcare organizations to improve their cybersecurity. Notably for the whistleblower space, the whitepaper encourages “improving healthcare providers’ cybersecurity capabilities through incentives & requirements,” versus “mandating cybersecurity improvements with a threat of financial penalties for noncompliance.”
The Department of Justice’s Civil Cyber-Fraud Initiative, launched last October, specifically addresses the applicability of the False Claims Act to situations where individuals or entities doing business with the government knowingly misrepresent their cybersecurity capabilities or fail to report breaches timely. The healthcare sector is massive, and Senator Warner’s whitepaper rightly outlines the challenges facing any cybersecurity modernization and hardening efforts. Whistleblowers keeping their eyes and ears open for potential cyber-fraud can help shift the healthcare industry towards compliance.
If you would like to report home healthcare or cyber fraud, you can contact attorneys at Tycko & Zavareei LLP. Eva Gunasekera and Renée Brooker are former officials of the United States Department of Justice and prosecuted whistleblower cases under the False Claims Act. Eva was the Senior Counsel for Health Care Fraud. Renée served as Assistant Director at the United States Department of Justice, the office that supervises False Claims Act cases in all 94 United States District Courts. Eva and Renée now represent whistleblowers. For a free consultation, you can contact Eva Gunasekera at [email protected] or contact Renée at [email protected] (tel.: 202-417-3664). Visit Tycko & Zavareei LLP’s website for whistleblowers to learn more at https://www.fraudfighters.net/.