Long-Term Care Services Firm Says Breach Affects 4.2 Million'Inaccessible Computers' Incident Initially Reported as Affecting 501 People
A vendor of clinical and third-party administrative services to managed care organizations serving elderly and disabled patients said a cybersecurity incident last summer has affected more than 4.2 million individuals.
Florida-based Independent Living Systems in a breach disclosure described the incident as involving inaccessible computers.
ILS did not immediately respond to Information Security Media Group's request for clarification of whether what it described as an incident "involving the inaccessibility of computer systems" is way of describing ransomware.
ILS initially reported the incident on Sept. 2, 2022, to federal regulators as a hacking/IT incident involving a network server that affected just 501 individuals, according the Department of Health and Human Services' HIPAA Breach Reporting Tool website for health data breaches.
Had ILS reported the breach to HHS OCR last year as affecting 4.2 million individuals, the incident would rank as the largest single known health data breach in 2022.
Race to Report
Healthcare entities facing a 60-day deadline to notify HHS' Office for Civil Rights about HIPAA breaches affecting 500 or more individuals will sometimes submit reports with very rough estimates about how many people were affected as the investigations into their incidents continue.
ILS in September posted a preliminary breach notice about the incident on its website.
"Now that our review and validation efforts are complete, we are notifying potentially affected individuals via posting this supplemental notice on our website, providing notice to the media, and mailing letters to potentially affected individuals for whom ILS has address information," the company said in an updated notice on its website this week.
The ILS incident demonstrates some of the tough challenges organizations face in the aftermath of a major data security incident, including accurately identifying and notifying affected individuals, some experts have said.
"Data breaches are time-consuming to investigate," said Tom Walsh, president of privacy and security consulting firm twSecurity.
For example, if phishing or compromised email accounts are implicated in a cybersecurity incident, "all of the saved email messages from the mailboxes of each employee - or email user - need to be examined for protected health information or personal identifiable information content," he said.
Depending on the size of an organization, how many email accounts were affected, the tenure of the employees whose email accounts were compromised, and whether the company has an email retention policy that includes purging old email, a review of whose PHI or PII was compromised might take many weeks or months, Walsh said.
"Once a list of names is generated, the list needs to be checked for duplicates to eliminate sending a patient multiple notices regarding the same breach," he said. "The more patients that may have been affected by a data breach, the longer it takes to determine a list of names and contact information of those that were affected."
ILS owns and operates Florida Community Care, a statewide Medicaid long-term care provider service network, as well as Florida Complete Care, a Medicare Advantage special-needs plan for patients who live in nursing homes, assisted living facilities or at home and have complex health issues that require comprehensive care and coordination.
In its updated breach notice, ILS said its investigation into the incident determined that an "unauthorized actor" had obtained access to certain ILS systems between June 30 and July 5, 2022.
"During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed," ILS said.
ILS said it conducted a comprehensive review to understand the scope of potentially compromised information and identify the individuals affected.
"We received the results of this review on Jan. 17 and then worked as quickly as possible to validate the results and provide notice to potentially impacted individuals and affiliated data owners, as required under applicable law and contract," ILS said.
Potentially compromised information includes name, address, birthdate, government identifiers, financial account information, treatment for mental or physical ailments and diagnosis codes.