Cyber Incident Victim: Independent Living Systems
Date:
Jun 2022
Location:
United States of America
Summary
A Miami-based healthcare administration firm suffered a cybersecurity incident impacting approximately 4.2 million individuals, marking one of the largest healthcare sector breaches of its period. Unauthorized actors accessed systems during a six-day intrusion, compromising sensitive personal data including names, Social Security numbers, taxpayer identification details, medical records, and health insurance information. The breach discovery triggered a multi-month investigation to determine affected parties, with preliminary notifications issued months prior to final confirmation. Exposed individuals were offered complimentary identity protection services for one year. The incident reflects broader trends of significant healthcare data compromises during its timeframe, involving both external attacks and systemic vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Independent Living Systems (ILS), a Miami-based healthcare administration and managed care solutions provider, suffered a cybersecurity incident that compromised the personal data of 4,226,508 individuals. The breach, discovered on July 5, 2022, involved unauthorized access to ILS systems between June 30 and July 5, 2022. During this six-day period, threat actors acquired and potentially viewed sensitive information stored on the network. The compromised data included full names, Social Security numbers, taxpayer identification numbers, medical information, and health insurance details. This exposure created significant risks for affected individuals, including potential phishing attacks, social engineering attempts, and long-term privacy violations. ILS initiated an investigation following the discovery, which confirmed the scope of unauthorized access and data acquisition. The incident represented the largest healthcare sector data breach disclosed in 2023 based on the number of impacted individuals.
ILS completed its internal review to identify affected parties on January 17, 2023, more than six months after detecting the breach. However, preliminary notifications had been sent to some individuals as early as September 2, 2022. The company provided breach notifications that included instructions for enrolling in one year of free identity protection services through Experian. The breach occurred during a period of heightened cybersecurity incidents across the healthcare sector, with multiple organizations reporting major data exposures in early 2023. These included a February 2023 ransomware attack affecting 3.3 million patients at California medical groups, a Fortra GoAnywhere MFT vulnerability impacting Community Health Systems, and Cerebral's March 2023 disclosure of a tracking misconfiguration affecting 3.18 million users. The ILS incident underscored systemic vulnerabilities in healthcare data management through its scale and the sensitivity of exposed information.