More than 4.2 million people were affected by a July 2022 healthcare data breach at Independent Living Systems, the Miami-based vendor of clinical and third-party administrative services to managed care organizations serving elderly and disabled individuals disclosed March 14. This is the largest health data breach reported so far this year, according to a BankInfoSecurity article.

ILS said that the company noted the inaccessibility of certain computer systems on its network on July 5, 2022. ILS said it responded to the incident immediately and began an investigation with the assistance of outside cybersecurity specialists. The investigation showed that an unauthorized user had obtained access to certain ILS systems between June 30 and July 5, 2022, during which time information stored on the network was accessible and potentially viewed, the company said.

ILS said it conducted a comprehensive review to understand the scope of potentially affected information and to identify the individuals to whom such information related. The company received the results of the review on Jan. 17, 2023, and then worked to validate the results and provide notice to potentially affected individuals and entities. The company previously notified potentially affected individuals on Sept.2, 2022, by posting a preliminary notice of the data breach on its website as well as by providing preliminary notice to primary state and federal regulators. 

“Now that our review and validation efforts are complete, we are notifying potentially affected individuals via posting this supplemental notice on our website, providing notice to the media, and mailing letters to potentially affected individuals for whom ILS has address information,”  the company said. “ILS is also providing supplemental notice to its primary state and federal regulators, initial notice to certain additional state regulators (as required), and initial notice to the three major consumer reporting agencies (i.e., Equifax, Experian, and TransUnion).”

Types of personal  information that might have been accessed, according to ILS,  include names, addresses, dates of birth, driver’s license numbers, state identification numbers, Social Security numbers, financial account information, medical record numbers, Medicare or Medicaid identification numbers, diagnoses codes or diagnoses information, admission/discharge dates and other medical information.

Berwyn, PA-based Sauder Schelkopf LLC filed a class action lawsuit against ILS on March 19. According to court records, the lawsuit alleges that ILS failed to adequately protect and safeguard patient data, then waited eight months to issue individual notifications to affected individuals that their “highly sensitive” patient data was known to have been compromised.

The healthcare industry remains the top target of computer hackers, according to a January report by the Identity Theft Research Center. The center said that 322 healthcare organizations suffered data breaches in 2022, making 2022 the third year in a row that the industry led all others in the number of data compromises.

Healthcare firms accounted for 19% of the 1,802 breaches last year, followed by financial services companies, with 268 breaches; manufacturing and utilities, with 249 breaches; and professional services firms, with 224 breaches, according to the report. In 2021, healthcare accounted for 15% of breaches tracked by the Identity Theft Research Center.