Breach, Incident Response, Compliance Management

Independent Living Systems hit with 5 lawsuits after breach update to 4.2M patients

Unrecognizable professional is initiating a cyber attack on health care data. IT concept for healthcare data breach, patient privacy, information security violation and white collar cyber crime.

Five class actions lawsuits were filed against Independent Living Systems (ILS) in the last week, in response to its recently updated breach notice sent to 4.2 million patients. ILS is a healthcare business associate for Florida Complete Care.

ILS is accused of storing patient data in a reckless and negligent manner, failing to provide adequate notice, maintaining patient data on a “system and network in a condition vulnerable to cyberattack”, and failure to “take necessary” steps to secure private data from risks, according to one of the lawsuits filed in the US Southern District of Florida.

Patient data “was compromised due to ILS’ negligent and/or careless acts and omissions and the failure to protect” private information, according to the filing.

The flurry of legal activity plays into a growing trend facing healthcare providers: massive breach notices promptly followed by law firms launching “investigations” to find “victims” of the reported incidents. BakerHostetler data confirmed the alarming rate of breach lawsuits in 2022, with hospitals seeing the largest rise in legal filings tied to this trend.

The filings against ILS align with the previous BakerHostetler data, as the Miami-based business associate first reported the breach to the Department of Health and Human Services in September 2022. At the time, a placeholder of 501 potential victims was listed on the breach reporting tool, which was not met with any lawsuits.

The recent notice only shed light on the investigation findings and provided the massive breach tally for the apparent ransomware and data exfiltration incident. While each of the five lawsuits argue the provider waited eight months to notify patients, ILS first reported the incident in September.

According to ILS, it detected “an incident involving the inaccessibility of certain computer systems” on July 5, 2022, with the actor dwelling on the system for nearly a week. The access allowed the threat actor to exfiltrate some data, while other information was accessible to the attacker or potentially viewed.

The data varied by patient and could include names, contact details, Social Security numbers, dates of birth, driver’s licenses, state IDs, financial accounts and medical record numbers. The data was later sold on the dark web. The updated notice shows ILS has not received any reported claims of fraud attempts from the incident.

According to the lawsuits, the “actual harm” incurred by the incident was “ascertainable losses” due to out-of-pocket expenses, time spent mitigating the attack’s effects, and “the benefit of their bargain.”

The suits also suggest the patients are at “substantial and imminent risk of identity theft or fraud.” The updated breach notice does not show ILS as offering credit monitoring or identity theft services to impacted patients.

ILS is accused of failing to adequately protect patient data, using inadequate security practices, and failing to “effectively secure hardware” or use “effective security procedures free of vulnerabilities and incidents.” It should be noted that no hardware or security measures are foolproof.

One lawsuit also claims ILS failed “to follow applicable, required, and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use. The provider’s “conduct amounts to negligence and violates federal and state statutes.”

Another filing alleges that ILS “has also purposefully maintained secret the specific vulnerabilities and root causes of the breach and has not informed” breach victims of that information. While the information would be useful, this type of disclosure is not required by federal laws or the Health Insurance Portability and Accountability Act.

Each of the lawsuits are seeking injunctive relief that include a number of required security updates, penetration testing, and third party-auditing, as well as a mandate to promptly correct any problems or issues detected by the outside reviews and for ILS to “purge, delete, and destroy in a reasonable secure manner PII and PHI not necessary for its provisions of services.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.