The largest healthcare data breach reported yet so far this year affected 4.2 million individuals, primarily elderly and special needs patients who receive Medicare or Medicaid. Miami-based Independent Living Systems LLC (ILS) is a business associate that provides clinical and third-party administrative services to managed care organizations, health plans, and providers.
Now ILS is facing several class action lawsuits filed in the last several days. This is a common result when breaches affect so many people at once.
ILS initially reported the breach to the Office for Civil Rights (OCR) on September 2, 2022, as affecting 501 individuals, but as their investigation continued, they discovered the breach was much larger than they first realized. They then updated the report on March 14, 2023 in a news release which described the breach scope in more detail.
According to the news release, ILS first noticed that certain computer systems on its network were inaccessible on July 5, 2022. They soon learned that an unauthorized actor had gained entry between June 30 and July 5, 2022.
“During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed.”
After the investigation was completed on January 17, 2023, ILS then validated the results and began to provide notice to potentially impacted individuals and entities, many months after the breach occurred, and after ILS’ first breach report to OCR.
Every Data Point Imaginable
The list of types of protected health information (PHI) compromised by the breach is comprehensive. According to the ILS report, the information disclosed varied by individual but may have included names, addresses, Social Security numbers, financial account information, medical record numbers, Medicare or Medicaid information, mental and physical treatment information, food delivery information, dates of birth, driver’s license numbers, diagnosis codes, admission and discharge dates, billing information, health insurance information, and prescription information.
Class Action Lawsuits Filed
Predictably, there’s been a rush to the courthouse to sue ILS for negligence. Five proposed class action lawsuits have been filed so far in federal court in the Southern District of Florida. At least one of the lawsuits claims that ILS was “aware of the high risk of cyberattacks yet failed to maintain reasonable and appropriate data privacy and security measures” and alleges negligence, negligence per se, unjust enrichment, and a violation of the Florida Deceptive and Unfair Trade Practices Act.
Strong HIPAA Compliance and Risk Management
The best defense agains cyber attacks is following HIPAA, conducting a Risk Analysis, and maintaining vigilance over Risk Management year round. But if a breach occurs, if a hacker breaks through in spite of your care, the lawsuits and the OCR investigations are much easier to defend because you can demonstrate you were not negligent and did everything possible to safeguard patient data. We don’t know the full facts about what may have gone wrong at ILS. If they can prove they followed current best practices, complied with HIPAA, and maintained strong cybersecurity protections, the outcome will be much less expensive and manageable.