Independent Living Systems, LLC (ILS), a provider of services to managed care organizations, disclosed a significant data breach in March. However, the breach actually occurred in mid-2022. Approximately 4.2 million individuals were impacted by this breach.
On July 5, 2022, ILS experienced an incident involving the inaccessibility of certain computer systems on their network. During this period, some information stored on the ILS network was acquired by unauthorized actors, while other information was accessible and potentially viewed.
Specific weaknesses are not disclosed, but potential vulnerabilities could include:
- Insufficient Access Controls: Unauthorized actors gaining access suggests weak controls.
- Lack of Intrusion Detection: Failure to detect unauthorized activity promptly.
- Third-Party Risks: Assessing security practices of vendors or partners.
ILS learned about the breach on July 5, 2022, when they detected the inaccessibility of their systems. Immediate response efforts led to the discovery of unauthorized access.
A lengthy list of personal data may have been impacted, including:
- Name
- Address
- Date of birth
- Driver’s license
- State identification
- Social Security number
- Financial account information
- Medical record number
- Medicare or Medicaid identification
- CIN#
- Mental or physical treatment/condition information
- Food delivery information
- Diagnosis code or diagnosis information
- Admission/discharge date
- Prescription information
- Billing/claims information
- Patient name
- Health insurance information
ILS, in response, promptly notified affected individuals.
- The company likely conducted a thorough investigation.
- Facing at least five class-action lawsuits indicates the severity of the breach.
To prevent similar breaches, strengthen access controls and intrusion detection, assess third-party security practices regularly, and enhance incident response capabilities.