Independent Living Systems (“ILS”), a Miami, FL-based provider of third-party administrative services to managed care organizations, was recently hit with a lawsuit after informing the Maine Attorney General that it suffered a data breach that has affected up to 4,226,508 individuals – the largest healthcare data breach to be reported so far this year.
When Did The Breach Happen?
According to the lawsuit, ILS identified suspicious activity within its computer systems on July 5, 2022. Assisted by third-party cybersecurity experts, ILS determined that unauthorized individuals accessed its network between June 30, 2022, and July 5, 2022, and acquired files containing sensitive data.
ILS conducted a comprehensive review of all affected files and was provided with the results of the review on January 17, 2023. ILS then worked to validate those results and obtain up-to-date contact information for the affected individuals to allow notification letters to be sent.
What Information Was Obtained By The Hackers?
The information compromised included
- dates of birth,
- state ID numbers,
- Social Security numbers,
- taxpayer ID numbers,
- financial account information,
- Medicare/Medicaid IDs,
- diagnosis codes/diagnosis information,
- admission/discharge dates,
- mental/physical conditions,
- treatment information,
- food delivery information,
- prescription information,
- billing/claims information,
- health insurance information.
The types of information varied from individual to individual.
Who Is Affected By The Breach?
The affected individuals had previously received services directly from ILS, via its covered entity subsidiaries: Florida Community Care LLC and/or HPMP of Florida Inc (dba Florida Complete Care), or from other data owner clients/health plans.
ILS said it added a preliminary notice to its website on September 2, 2022, but was not able to send notification letters until the review and validation process had been completed. Notification letters started to be mailed to affected individuals on March 14, 2023. Affected individuals have been offered complimentary credit monitoring services.
ILS said it has been working on implementing additional safeguards to prevent further cyberattacks, including fortifying its firewall, updating complexity requirements for credentials, implementing additional internal security procedures, updating its employee training protocols, and providing additional training to its workforce.
What Is ILS Doing To Help Victims Of The Breach?
According to the notification letter sent by ILS, victims are cautioned to remain vigilant against fraud. ILS is offering complimentary Identity Protection Services for an undisclosed period of months..While it is a start, it may prove inadequate in the long-run as industry security experts are of the opinion that hackers may chose to sit on the data until such time as the Identity Protection Services ends.