Senior Healthcare Firm Pays Breach Settlement to StatesAvalon Health Care Pays $200,000 to Utah and Oregon, Pledges Security Enhancements
A nursing and assisted living care firm that delayed reporting a data breach to authorities paid a $200,000 fine to two state attorneys general and pledged to implement a security incident response plan.
A settlement between Avalon Health Care Management and the states of Utah and Oregon doesn't require the company to admit guilt.
An employee of the Salt Lake City-based firm in July 2019 opened a phishing email that led to a breach affecting 14,500 individuals. The breach included names, addresses, government identifier numbers and medical treatment information.
Avalon did not notify affected individuals or report the incident to state and federal regulators until about 10 months after the breach, the attorneys general said in a Dec. 27 statement.
"Close to 2,000 Oregonians assumed - incorrectly - their information was safe with Avalon," said Oregon Attorney General Ellen Rosenblum.
Oregon data breach law requires companies to give notice no later than 45 days after discovering a breach. A Utah statute directs companies to deliver notifications "without unreasonable delay." Federal law stipulates a 60-day deadline for reporting breaches of unsecured protected health information affecting 500 or more individuals. State attorneys can sue for violations of HIPAA on behalf of state residents.
Avalon's breach report to HHS' Office for Civil Rights was submitted in February 2020 as an email hacking incident affecting just 2,717 individuals, according to the HHS OCR HIPAA Breach Reporting Tool website.
"What stood out to me about this breach was the patient population, older and likely Medicare and/or Medicaid beneficiaries," says regulatory attorney Rachel Rose about why state regulators in Utah and Oregon likely pursued the Avalon breach for enforcement actions.
Other issues contributing to the Avalon incident include "low-hanging fruit," such as a lack of employee training and the apparent lack of implementing multifactor authentication, she says.
"With the potential for downstream Medicaid fraud, the states, like the federal government, have a vested interest" to take enforcement actions in certain health data breaches, such as the Avalon incident, she says.
Avalon did not immediately respond to Information Security Media Group's request for comment.
Besides paying a $200,000 fine, Avalon agreed to implement the following data security improvements:
- Develop and implement a detailed data security incident response plan.
- Develop, implement and maintain a comprehensive information security program.
- Implement multifactor authentication for remote network access.
- Maintain email protection and filtering solutions;
- Provide employee training, including topics such as social engineering schemes, and administer mock phishing exercises.