Data breach affects 4.2 million patients

Independent Living Systems (ILS), a Miami-based company providing clinical and administrative services to managed care organizations, has provided an updated public disclosure of a data breach affecting the information of more than 4.2 million people. The event took place between June 30 and July 5, 2022, during which time an “unauthorized actor” acquired some information and potentially viewed additional data.   

ILS mentions that the event involved the “inaccessibility of certain computer systems” on the network, hinting that some type of ransomware may have involved. 

“The types of impacted information varies by individual and could have included: name, address, date of birth, driver’s license, state identification, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, CIN#, mental or physical treatment/condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge date, prescription information, billing/claims information, patient name, and health insurance information,” the company said in a press release. 

Initially, the event was reported as a much smaller incident, affecting around 500 individuals, according to BankInfoSecurity.  However, by the time the company completed its security investigation in January of 2023, it became clear that the incident affected millions of individuals, the majority of whom are elderly and/or disabled due to the nature of ILS’s services. 

“We are unaware of any identity theft or fraud resulting from this event,” the company stated.  However, individuals affected by the incited are encouraged to review their banking information, account statements, and credit reports and report any suspicious activity to the relevant entities immediately. 

ILS says it took prompt steps in the wake of the event to mitigate any risks and prevent future unauthorized access to personal health information.    

“These actions included: (1) fortifying the security of our firewall; (2) utilizing the forensic specialists engaged to monitor our network and remediate any suspicious activity identified; (3) rotating and increasing the complexity of all users’ credentials, and (4) providing notification to potentially affected individuals as quickly as possible,” they explained. “We are also enhancing our existing training protocols and other internal procedures that relate to data protection and security.”  

The breach is the largest newsmaker of 2023 so far, eclipsing the February announcement of a December 2022 ransomware attack against California-based Heritage Provider Network, which affected 3.3 million people, notes HIPAA Journal. 

Thus far in January and February of 2023, more than 6.5 million people have been affected by healthcare data breaches. While the number of individual events is lower than last year’s average, the large scale nature of each incident means that more people overall are being notified of the potential for misuse of their personal health information. 

Healthcare provider entities remain at the highest risk of improper data exposure, and hacking remains the number one cause of privacy and security events. 

Covered entities must have a solid and comprehensive plan for preventing data breaches, including staying up to date with the latest antivirus and firewall software, training staff to be alert to phishing and ransomware attempts, and carefully managing vendor relationships.   

And if a bad actor does get through the defenses, organizations must take swift remedial action and immediately notify the relevant authorities – not only to close up vulnerabilities, but also to mitigate the organization’s reputational hit.  The loss of consumer trust can add significantly to the costs and long-term burdens of a major data breach, resulting in downstream revenue losses from patients or clients choosing to bring their business elsewhere. 

Timely disclosures and a transparent, proactive communication campaign can help to manage public perception of the organization’s response and ensure swift recovery when a breach does occur. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.