AVALA reports data breach to the HHS

The healthcare provider recently notified patients and the Department of Health and Human Services (HHS) of a data breach.

What happened

AVALA Holdings, an innovative healthcare provider in Louisiana, recently announced that it faced a data breach in May. 

The company alerted the HHS on July 28th, 2025, approximately two months following the breach, noting that the incident impacted 22,732 individuals. Through an investigation, AVALA determined the breach was the result of a hacking/IT incident on their email network.  

Going deeper

AVALA is a unique care provider, offering robotic surgery for hip, knee, and spine surgeries. Outside of their technology, they also offer other surgeries, imaging, and therapeutic care. 

In the breach notice, AVALA said the breach took place on May 30th. On July 23rd, the investigation concluded and AVALA determined that the following data was exposed: names, addresses, dates of birth, medical treatment information, health insurance information and Social Security numbers. 

AVALA stated that have begun notifying patients out of an abundance of caution. The company said they are also taking additional steps to prevent a similar event from occuring in the future. 

The big picture

According to the notice to the HHS, this breach was caused by a hack to the email network. These breaches can be caused by phishing, hacking a password, and more. By using a strong, HIPAA complaint email software, like Paubox, email-related data breaches can easily be prevented. 

FAQs

Why do some breaches get reported quickly, and some take longer to be reported? 

When a breach gets reported generally depends on how quickly the breach is detected and investigated. For more complex breaches, this can be a time-consuming process. Conversely, AVALA moved expediently through the investigation process, allowing them to quickly report the incident. 

What happens if an organization fails to report a data breach in a timely manner? 

According to the HHS, data breaches impacting more than 500 individuals must be reported with 60 days. If an organization fails to report a breach within that timeframe, they may be subject to additional penalties.