Miami-based healthcare administration and managed care solutions provider Independent Living Systems (ILS) has experienced the largest data breach in the healthcare sector disclosed this year, exposing the personal information of 4.2 million individuals.
The breach was discovered on July 5, 2022, with perpetrators accessing ILS systems between June 30 and July 5, 2022, where they had access to the data. Personal information that may have been accessed includes names, Social Security numbers, medical information and health insurance information.
The breach could enable threat actors to launch phishing or social engineering attacks against affected individuals, severely impacting their privacy. Some affected individuals were informed of the incident on September 2, 2022, based on preliminary results, and the company completed its internal review on January 17, 2023.
Instructions for enrolling in one year of free identity protection services by Experian have been included in notifications. The first quarter of 2023 has seen notable data breaches in the healthcare sector, with medical groups in California disclosing that a ransomware attack had exposed the data of 3.3 million patients, healthcare giant CHS disclosing that a zero-day vulnerability in Fortra's GoAnywhere MFT product resulted in data being compromised and healthcare platform Cerebral informing 3.18 million people of a data breach that breached their privacy.
Ilia Sotnikov, Security Strategist and VP of User Experience, Netwrix, shared more on ILS' response to the incident: “The timeline of the events is the first thing to note. The fact that it took two months to start notifying the impacted customers, and well over 6 months to file the official breach notification is just stunning.
We can probably expect another wave of calls for stricter federal regulations around breach notifications.
ILS is doing the right thing by covering the identity protection services cost of the customers whose personally identifiable information (PII) was leaked. However, the leaked data also includes very sensitive medical information. This is putting impacted individuals at risk of phishing, social engineering attacks or in some cases even blackmailing. Considering the unauthorized access itself took place in June-July 2022, some of the victims could have already fallen prey to the attackers.
“In the recently published Cybersecurity strategy, the Biden-Harris administration is calling for more proactive actions to disrupt the threat actors. We can expect that such attacks on healthcare and insurance institutions that impact vulnerable groups of citizens will be used to justify new legislation to allow the federal government to take more proactive steps to counter cybercrime groups.”