Data Breaches Reported by Aveanna Healthcare, RxBenefits, and City of Hope

Aveanna Healthcare Encounters a Breach of Email Account

Home health and hospice care provider, Aveanna Healthcare located in Atlanta, GA, reported a security breach of its email network and a compromise of the information of 65,482 individuals. The healthcare provider discovered suspicious activity in a worker’s email account on September 22, 2023. The email account was secured right away. An investigation was started to find out the type of activity, and if patient information was compromised or stolen.

The investigation proved that an unauthorized third party obtained access to its email platform and likely acquired files that included patient data. Third-party experts analyzed the affected files to identify the persons impacted and the types of records that might have been breached. Aveanna Healthcare accomplished that action on March 12, 2024, and began sending the notification letters to the affected individuals on March 15, 2024. The impacted persons were given free identity theft protection services.

The types of information concerned differed from one individual to another and could have included names combined with at least one of the following: birth date, Social Security number, state identification or driver’s license number, health data, diagnosis, treatment data, MRN/patient ID number, incidental health reference, provider name, medical insurance details, prescription details, Medicare/Medicaid number, and treatment cost data. Aveanna Healthcare mentioned it did not discover any information that signifies the misuse of patient information.

Impermissible Disclosure of PHI as a Result of RxBenefits Mailing Error

Pharmacy Benefits Administrator RxBenefits based in Birmingham, AL identified a mailing error that prompted the delivery of letters to the wrong recipients. The mailing error was detected on January 16, 2024, and it was confirmed that letters meant for 3,396 people were delivered to other people. The letters stated that beginning January 1, 2024, medicines needed by the supposed recipient or a dependent would need a doctor’s authorization. The letters included names and addresses and confirmed that the supposed recipient or their dependent got that medicine. The impacted persons were AdventHealth Employee Health Plan members.

RxBenefits stated it is going over its HIPAA privacy and security guidelines and protocols to make sure continuing compliance and extra security and privacy steps were enforced to stop the same incidents later on.

827,000 Individuals Affected by City of Hope Cyberattack

Non-profit clinical research and cancer treatment center City of Hope in Duarte, California has reported a compromise of the personal data and protected health information (PHI) of 827,149 persons in a 2023 cyberattack. The treatment center detected suspicious activity in parts of its network on October 13, 2023. After systems were secured and mitigation measures were implemented, a forensic investigation was started to find out the nature and extent of the breach. A third-party cybersecurity organization helped investigate and confirmed the unauthorized access to parts of its network from September 19, 2023 to October 12, 2023. At that time, copies of certain files were stolen from its systems.

The late issuance of notifications was because of the time needed to perform a comprehensive analysis of all files on the breached systems to find out the scope of the data breach. The investigation is still in progress, but City of Hope already affirmed that the files included personal data and PHI. The types of information affected differed from one person to another and contained names along with at least one of these data: contact details like telephone numbers and email addresses, birth dates, driver’s license numbers, Social Security numbers, other government ID numbers, financial data like bank account numbers and credit card information, medical insurance data, medical records, medical backgrounds, diagnoses/health conditions, medical insurance data, and unique internal patient identifiers.

City of Hope stated extra and improved safety measures were applied immediately and a top cybersecurity company reviewed the security of its data, systems, and network. The impacted people are currently being informed by mail. City of Hope is providing free credit monitoring and identity theft protection services for two years to those whose data were exposed during the attack.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at