Massive ILS leak included data of more than 20,000 Iowa Medicaid recipients

Thousands of Medicaid recipients in Iowa had their personal information leaked in a 2022 attack on the healthcare software company Independent Living Systems (ILS), the state's Department of Health and Human Services revealed this week.

The Miami-based company explained in documents filed with Maine’s Attorney General last month that more than four million people were affected by a breach of their systems.

The information leaked included names, addresses, dates of birth, driver’s license numbers, Social Security numbers, financial account information and medical data such as diagnosis codes and health insurance information.

Officials in Iowa said that the information of 20,800 Iowa Medicaid members was involved in the ILS breach.

“Medicaid takes the privacy of Iowans’ personal and health information seriously,” said Elizabeth Matney, Iowa medicaid director. “We regret the inconvenience and the concern this incident may cause Medicaid members in Iowa. HHS will continue to do everything possible to protect member information from unauthorized access.”

Officials confirmed that Iowa’s Medicaid system was not breached. But the organization works with a private contractor named Telligen, which provides annual assessments for Medicaid members to make sure they are receiving the correct healthcare services.

The state said Telligen subcontracted some of that work to ILS, which has provided third-party administrative services to health plans, providers, hospitals, and pharmaceutical and medical device companies for nearly two decades.

Despite the initial breach of ILS’ network occurring in July 2022, the company only finished its investigation in the last two months, informing Telligen of the leak on February 14. Telligen in turn notified Iowa officials on February 17.

Iowa officials did not respond to requests for comment on if they will continue to work with Telligen and ILS after the leak.

The state plans to send out breach notification letters this week to those who were affected. It is unclear how many other states were impacted by the ILS breach. ILS has an annual estimated revenue of $191.7 million.

Paul Bischoff, the editor of tech services website Comparitech, told The Record that the disclosure of the breach took far too long, giving hackers more than eight months to exploit the leaked information.

“A lot of damage could have already been done. Criminals could use the breached info for identity theft, Medicaid fraud, and phishing, among other attacks,” he said.