Healthcare Firm ILS Alerts 4.2 Million People Of Data Breach

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Mar 17, 2023 08:57 am PST

A data breach at Independent Living Systems (ILS), a Miami-based supplier of healthcare administration and managed care solutions, exposed 4,226,508 people’s data. This year’s largest revealed healthcare data breach, according to the number of affected individuals.

ILS owns and manages Florida Community Care, a network of long-term care providers serving Medicaid beneficiaries throughout the state, as well as Florida Complete Care, a Medicare Advantage special-needs plan for individuals who have complicated medical conditions who reside in assisted-living facilities, nursing homes, or at their residences and who need all-encompassing care and integration.

According to the notification it provided to the Office of the Maine Attorney General, the organization found that its network had been compromised on July 5, 2022. Between June 30 and July 5, 2022, the criminals had access to ILS systems and had access to the data; the firm acknowledged the breach earlier this year, which led to the company losing control of its computer networks. They disclosed this week that almost the entire facility was compromised.

What Got Compromised In The Data Breach

In a statement on Tuesday, the business said that “the unlawful actor had stolen some content stored on the their network, and other information was easily accessible and presumably viewed.” ILS conducted a thorough review to comprehend the scope of possibly affected information and identify the people to whom such information pertains after containing the incident and reconnecting its computer systems. 

The healthcare provider worked as quickly as possible to verify the review’s findings and inform any parties affected on January 17, 2023, after receiving the review’s findings. Not only were the names of the patients revealed or compromised, but other information such as Social Security number (SSN), numbers used to identify taxpayers, treatment information, and details about health insurance also got leaked.

The privacy of the affected patients is severely compromised because attackers could use this knowledge to perpetrate phishing or social engineering attacks against the individuals involved.

Despite the compromise, ILS claimed there had been no cases of forgery or theft of credentials connected to it. This company declined to state with certainty what data the hacker, who went unnamed, obtained.  ILS claimed it performed a thorough investigation to comprehend the extent of the breach after regaining access to its internal computer system in July.

Problems With Healthcare Data Breach

The last decade indicates the issue of hackers accessing healthcare systems and the personal information contained therein is getting worse. More than 10% of Americans, or 42 million people, have had their data compromised since 2016, according to a study from the end of the previous year. 

A Russian malware group targeted the Lehigh Valley Health Network in Pennsylvania earlier this month and demanded ransom in exchange for their release of cancer patients’ narcissistic photos. Following a hacker taking down its systems, Tallahassee Memorial HealthCare, which services nearly 400,000 patients throughout Florida, was left using pen and paper for five days.

The influx congested the emergency room, and some patients had to be forced away. The websites of 14 prestigious US institutions, including Duke University and Stanford, were taken down in January by the notorious Russian cyber group Killnet.  The structures of CommonSpirit Health were compromised last year, exposing more than 20 million Americans. 

Data on Healthcare Ransomware Attack This Year

Numerous significant data leaks in the healthcare industry during the first quarter of 2023 exposed the private medical information of millions of people. Multiple medical organizations in California, United States, revealed in February 2023 that an attack involving ransomware had compromised the data of 3.3 million patients.

A few days later, CHS (Community Health Systems), a major player in the healthcare industry, revealed that Fortra’s GoAnywhere MFT product had a single-day vulnerability that had affected it and exposed some of its data.

3.18 million people received notices of a data breach from the healthcare platform Cerebral on March 10, 2023, alerting them of a violation of confidentiality caused by a tracker’s incorrect configuration on the system.

Potential Cautions To Healthcare Data Breach

A data breach happens when unauthorized people gain access to or use private patient data. Healthcare groups may suffer financial setbacks, legal repercussions, and reputational harm as a result of data breaches.

Healthcare organizations should contain the breach. Such a company must determine the kind of data compromised and the scope of the breach. This may entail reviewing logs, performing forensic analysis, and reviewing system settings. 

Following the containment of the breach, the organization is obligated by law to notify those who were impacted. Information about the breach, the kind of data that was compromised, and self-protection measures should all be included in this notice.

Investigating the breach to understand how it occurred and how it might be stopped from happening again will also help. A risk assessment, a review of the policies and procedures, and training of the staff in spotting and responding to possible breaches can all be part of this.

The next thing that could be done is to address any vulnerabilities found during the investigation to remedy the breach. This can entail updating security measures, implementing new policies and procedures, and training employees on best practices for data security.

Healthcare organizations’ systems should be monitored to ensure the breach has been completely fixed and there are no new vulnerabilities. Regular staff training, continuing risk assessments, and system monitoring can all be part of this.

Conclusion

Independent Living Systems (ILS), a Miami-based healthcare administration and managed care solutions provider, breached 4,226,508 people’s data. This year’s largest healthcare data breach by a number of victims. ILS owns and manages Florida Community Care, a Medicaid-funded network of long-term care providers, and Florida Complete Care, a Medicare Advantage special-needs plan for people with complex medical conditions who live in assisted-living facilities, nursing homes, or at home and need comprehensive care and integration.

Healthcare data breaches pose a severe risk to patient privacy and may harm an organization’s finances and reputation. Healthcare organizations should have a plan in place for dealing with data breaches, which should include actions for containing the breach, informing the impacted parties, investigating the breach, resolving any vulnerabilities, and monitoring systems to prevent further breaches. Healthcare organizations can protect patient data and lessen the effects of a data breach when these measures are taken into consideration.

Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Jocelyn Houle
Jocelyn Houle , Senior Director, Data Governance
InfoSec Expert
March 21, 2023 11:32 am

Just one week after the Zoll Medical data breach that exposed the sensitive information of more than 1 million individuals, threat actors have accessed the sensitive healthcare data of over 4 million people by hacking the networks of Independent Living Systems (ILS). The series of data breaches against healthcare organizations come as no surprise, but what is surprising is that week after week more organizations fall prey to the same type of attacks.

These data breaches against healthcare organizations highlight the increasing need to make data management, privacy and security a top priority to ensure patients’ private information remains private. AI & ML techniques to automate data management processes are becoming an essential step to mitigating the risk of the exposure of personal health information (PHI). Automating policies by locating, protecting, and managing PHI reduces the risks of a breach, and coupled with controls such as least privilege access and techniques such as data masking, organizations can minimize exposure and damage in case of an attack. Implementing a privacy management software also helps by providing cross-system visibility to identify insider threats and prevent threat actors from accessing healthcare organizations’ networks.

Last edited 2 months ago by Jocelyn.Houle
Daniel Selig
Daniel Selig , Security Automation Architect
InfoSec Expert
March 21, 2023 11:28 am

Independent Living Systems (ILS), a Miami-based healthcare software firm providing third-party administrative services to healthcare providers, has recently disclosed that a July 2022 cyberattack has resulted in a data breach exposing the personal data of 4,226,508 people. Information compromised in the attack and resulting breach include names, Social Security numbers, health insurance information and financial account data. 

Unfortunately, we continue to see an uptick in healthcare-related cyberattacks and data leaks. Just last week, medical device maker Zoll disclosed a data breach affecting over 1,000,000 people, and more than 10,000 Congress members and Washington, D.C. residents have their data for sale on dark web forums after D.C. Health link, a healthcare exchange platform, leaked sensitive information. 

Healthcare organizations are a popular target for cybercriminals due to the degree of sensitive information stored in their systems and the vulnerability of their patients. Because of this, bad actors tend to have the mindset that they will be more likely to pay larger sums of money to regain control of this information. Luckily, there are steps that organizations can take to ensure that things don’t escalate to this point. Companies should consider low-code security automation solutions in order to leverage streamlined detection and implement proper incident response, ultimately ensuring first-rate protection free of human error. Endpoint security tools that integrate low-code security automation give healthcare services a cohesive protection strategy that ensures complete protection of even the most sensitive data.

Last edited 2 months ago by Daniel.Selig

Recent Posts

2
0
Would love your thoughts, please comment.x
()
x