Miami-based healthcare software provider, Independent Living Systems, is in the hot seat this week, after announcing a data breach that impacted over 4.2 million individuals.
The incident, which is the largest healthcare breach of the year so far, came to light on March 14, when the company shared an announcement stating it experienced an “incident involving the inaccessibility of certain computer systems on its network” on July 5, 2022.
We know what you’re thinking. Why is a data breach that occurred almost a year ago only coming to light now? We’ll explain everything there is to know below.
ILS breach: A timeline of events
ILS submitted a breach notification to the Office of the Attorney General explaining that it discovered its network was compromised on July 5, 2022.
ILS is keeping tight-lipped on exactly how the attacker managed to break into its systems, although some are speculating that ransomware could be involved, given that the breach notification mentioned “incident involving the inaccessibility of certain computer systems”.
The notification states that, as soon as the company realized it was compromised, it responded immediately and hired third-party cybersecurity specialists to perform a forensic investigation.
From this, “ILS learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022. During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed.”
Eight months later, on January 17, the cybersecurity specialists delivered a full review of the incident to ILS, which found that the unauthorized actor most likely accessed sensitive protected health information (PHI), including names, addresses, dates of birth, driver’s license information, Social Security numbers, financial account information and medical information, including Medicare and Medicaid identification and medical records.
Now, as all healthcare organizations will know, healthcare entities have a 60-day deadline to notify HHS’ Office for Civil Rights about HIPAA breaches impacting 500 or more individuals.
So, it’s no surprise that on September 2 2022, ILS posted a vague notice about the breach on its website and served a preliminary notice to regulators. However, it’s only now that the company is reaching out to those impacted directly.
What are the ramifications of the incident?
Eight months is a long time for attackers to have unbridled access to PHI. Armed with this stolen data, they might have performed a range of successful social engineering attacks or committed online fraud impacting millions of victims.
Worse still, the victims would have had no idea that they were vulnerable because ILS failed to notify them until eight months later.
ILS’ defense is that it needed to conduct a comprehensive review to understand the full extent of the breach. Its notification explains: “Now that our review and validation efforts are complete, we are notifying potentially affected individuals via posting this supplemental notice on our website, providing notice to the media, and mailing letters to potentially affected individuals for whom ILS has address information.”
In a gesture of goodwill, the company is also offering those impacted one year of free identity protection services by Experian, but all of these efforts might be too little, too late.
Already, for example, we’re seeing numerous US-based law firms send out appeals to ILS customers to get in touch. It seems that a class-action lawsuit might be brewing.
It will also be interesting to see what the OCR makes of ILS response to the incident. Could there be a big penalty coming the company’s way?
Lessons learned
First off, the ILS incident is indicative of a wider trend. We’ve seen several high-profile data breaches impacting the healthcare sector this quarter. In February, numerous entities in California fell victim to ransomware, exposing the data of over 3 million patients.
Then healthcare company, CHS, announced it had been impacted by a zero-day vulnerability while healthcare provider, Zoll, suffered a hack resulting in the exfiltration of over 1 million individuals’ PHI.
All of this is to say that the healthcare sector is clearly a top priority for malicious actors. Covered and non-covered entities need to beware and sure-up their defenses. Otherwise, they could be next.
For this incident in particular, though, there are a few lessons that stand out. Firstly, ILS has been far from exemplary in its approach to data breach notifications. While it ‘technically’ complied with the HIPAA breach notification rule, the company failed to proactively notify victims until eight months after the incident happened.
Given the sensitivity of the data involved, this timeframe just isn’t good enough, and we predict regulators and law firms will say the same.
Organizations should take note. Notifying individuals of sensitive data leaks and exfiltration in a timely manner is vital. To bolster incident response capabilities, companies should look to NIST’s Computer Security Incident Handling Guide as a go-to framework and optimize it for HIPAA compliance.
Beyond that, we must remember that, in an ideal world, this incident would have never happened in the first place. Better defense is crucial, and cyber-attacks against healthcare organizations are always after one thing: sensitive information.
To that end, healthcare organizations must make protecting sensitive data and patient privacy their top priorities. While this is increasingly challenging in the age of the cloud and remote working, there are tools that can help.
How Polymer DLP can help
Using artificial intelligence, machine learning and natural language processing techniques, tools like Polymer Data Loss Prevention (DLP) automate data discovery and management, helping organizations to seamlessly protect PHI from accidental exposure of theft.
By automating the process of discovering, protecting and managing PHI, combined with the principles of zero trust and controls like data redaction, healthcare organizations can dramatically minimize the risks of data exposure, even in the event that a user identity is compromised.
Find out how Polymer DLP can protect your organization from a cloud security incident today. Request a free demo now.
