Healthcare software firm ILS announces data breach affecting more than 4 million people

The sensitive healthcare data of more than four million people was accessed by hackers who broke into the network of Independent Living Systems (ILS), a healthcare software company based in Miami.

The company has provided third-party administrative services to health plans, providers, hospitals, and pharmaceutical and medical device companies for nearly two decades.

ILS began sending breach notification letters out on Tuesday following a July 5, 2022 cyberattack.

“Through its response efforts, ILS learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022. During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed,” the company explained in documents filed with Maine’s Attorney General.

The information includes names, addresses, dates of birth, driver’s license numbers, Social Security numbers, financial account information and medical data such as diagnosis codes and health insurance information.

The company told state officials in Maine that 4,226,508 million people were affected by the breach. In a statement, ILS said it will be providing victims with 12 months of identity protection services.

ILS did not respond to requests for comment about why it took so long to notify victims about the breach or whether it was a ransomware attack.

The company said it posted a notice about the breach on its website on September 2, 2022 and notified federal officials as well as state-level agencies in Florida. It received the final results of an investigation into the incident on January 17, 2023 and began notifying other states about the attack this week.

Several massive breaches have been announced this year by healthcare organizations involving troves of sensitive personal information like Social Security numbers and tax information.

Last week, medical device maker Zoll said a cyberattack in January exposed the sensitive information of more than 1 million people. Community Health Systems — which controls almost 80 hospitals across 16 states — told the SEC that more than one million patients were affected by a data breach. A data breach involving Washington, D.C.’s healthcare exchange platform included the sensitive information of Congress members and staff alongside more than 100,000 residents of the city. That data is now being sold on dark web forums.

More than 3.3 million patients had their Social Security numbers and more leaked in a December ransomware attack on California’s Heritage Provider Network and Hawaii’s Department of Health said a cyberattack in January gave hackers access to the state’s death registry.

Comparitech’s Brian Higgins told The Record that aside from opening millions of people up to identity theft, phishing emails and more, the incident involving ILS “highlights the incredibly slow progress the U.S. are making in consumer protection.”

“Most first-world jurisdictions have regulations and legislation in place which force organizations and businesses to report data breaches in a very swift timeframe, sometimes within days of discovery, thus allowing time for victim organizations to offer remedial advice and resources to their affected clients and supply chain,” he said.

“The fact that this critical personal information has been in the wild for so long before ILS decided they should report it to their customers makes their offer of free identity protection a bit of a waste of time."