Independent Living Systems (ILS), a Miami-based healthcare administration and managed care solutions provider, suffered a data breach that exposed the personal information of 4,226,508 individuals.
The number of impacted individuals makes this the largest data breach in the healthcare sector disclosed this year.
According to the notification submitted to the Office of the Maine Attorney General, the company discovered that its network was hacked on July 5, 2022.
During the subsequent investigation, the firm discovered that the perpetrators had access to ILS systems between June 30 and July 5, 2022, and had access to the data during that time.
“Through its response efforts, ILS learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022,” reads the data breach notice.
“During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed.”
In that period, the threat actors might have accessed the personal information of patients, including:
- Full name
- Social Security number
- Taxpayer identification number
- Medical information
- Health insurance information
Threat actors could use this information to launch phishing or social engineering attacks against the exposed individuals, and it severely impacts the privacy of affected patients.
ILS claims its internal review determining which individuals or entities were impacted was completed on January 17, 2023, over six months after the breach’s discovery.
However, the firm clarifies that some affected individuals were informed about the incident on September 2, 2022, based on preliminary results.
Finally, the notifications include instructions for enrolling in one year of free identity protection services by Experian.
The first quarter of 2023 has seen quite a few notable data breaches in the healthcare sector, exposing the sensitive medical data of millions of people.
In February 2023, multiple medical groups in California, U.S., disclosed that a ransomware attack had exposed the data of 3.3 million patients.
A few days later, healthcare giant CHS (Community Health Systems) disclosed that it was impacted by a zero-day vulnerability in Fortra’s GoAnywhere MFT product, which resulted in some of its data being compromised.
On March 10, 2023, healthcare platform Cerebral sent notices of a data breach to 3.18 million people, informing them of a misconfiguration in trackers used on its platform, which breached the patients’ privacy.