On March 14th, Miami based Independent Living Systems (ILS) disclosed a healthcare data breach that impacted more than 4 million individuals, the largest reported healthcare data breach of 2023, so far. More on the so far part later.
Hackers were in their network from June 30th to July 5, 2020, when the company discovered that its network was accessed and employee data had been exfiltrated. Here’s a snippet of what the data breach notice said.
On July 5, 2022, ILS experienced an incident involving the inaccessibility of certain computer systems on its network. ILS responded to the incident immediately and began an investigation with the assistance of outside cybersecurity specialists. Through our response efforts, ILS learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022. During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed. Upon containing the incident and reconnecting its computer systems, ILS conducted a comprehensive review to understand the scope of potentially affected information and identify the individuals to whom such information relates. ILS received the results of this review on January 17, 2023, and then worked as quickly as possible to validate the results and provide notice to potentially impacted individuals and entities.
The types of impacted information varies by individual and could have included: name, address, date of birth, driver’s license, state identification, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, CIN#, mental or physical treatment/condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge date, prescription information, billing/claims information, patient name, and health insurance information.
But the part that catches my attention is this:
ILS previously notified potentially affected individuals on September 2, 2022 by posting a preliminary notice of this data event on its website. Additionally, ILS previously provided preliminary notice to its primary state and federal regulators. Now that its review and validation efforts are complete, ILS is notifying potentially affected individuals via this media release, posting supplemental notice on its website, and mailing letters to potentially affected individuals for whom ILS has address information. ILS is also providing supplemental notice to its primary state and federal regulators, initial notice to certain additional state regulators (as required), and initial notice to the three major consumer reporting agencies (i.e., Equifax, Experian, and TransUnion).
Yeah, it took over six months to identify and notify victims. #Fail.
Tim Schultz, VP, Research & Development at SCYTHE had this to say:
“Healthcare data – the most treasured record in the Underground Economy.
“The healthcare industry is going to continue to be targeted by threat actors and I don’t see it stopping anytime soon. Similar to other industries where more restrictive cybersecurity controls may have a broader business impact, cybersecurity maturity lags behind. Since medical information can be leveraged in future attacks against individuals either for social engineering or extortion, the data stolen will be valuable for a long time.”
Healthcare is a huge target for threat actors as evidenced by these major breaches:
• February, Heritage Provider Network – 3.3 million patients
• February, Community Health Systems – 1 million patients
• March, Cerebral – 3.1 million patients
The take home message here is that the healthcare sector needs to up its game to stop this from happening over and over again. Because with the scale of hacks that we see in this sector, there clearly isn’t enough being done to safeguard data.