Home healthcare company Aveanna Healthcare began notifying an undisclosed number of patients and employees Feb. 18 that their information may have been exposed in a phishing attack.
In August, Aveanna discovered suspicious activity in a limited number of employee email accounts. Upon investigation, the home health company determined that an unauthorized third party had accessed the account between July 9 and Aug. 24, 2019.
Patient and employee data that may have been exposed included Social Security numbers, dates of birth, employee identification numbers, bank account numbers, credit card information, passport numbers, driver's license numbers, usernames and passwords, medical record numbers, patient account numbers, diagnosis information, treatment types and locations, physician names, health insurance information, billing information, Medicare/Medicaid identification numbers, and medication information.
Aveanna said there is no evidence that patient data has been misused. The investigation could not determine if patient and employee data was viewed or removed from the email accounts.
"We take the confidentiality, privacy and security of information in our care very seriously," said Aveanna in an online statement. "While we have security measures in place to protect information in our care, we are also taking steps to implement additional safeguards and review policies and procedures in order to protect the security of information on our systems. Specifically, we immediately changed the credentials for the involved email accounts and have since implemented additional security measures for all employee email accounts and access to [Aveanna] systems including multi-factor authentication."