On March 14, 2023, Independent Living Systems LLC (ILS), a Florida-based healthcare and managed care solutions provider, reported that it suffered a data breach with the records of some 4.2 million individuals located nationwide potentially stolen.
ILS provides a variety of managed services to several partner health plans and their enrollees and has offices in Oakland, Glendale, and San Diego, California.
According to the company’s Data Breach Notice, an “unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022.
During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed.” Despite knowing this, ILS waited more than eight months from the time of this data breach to inform affected consumers.
Individuals affected by this data breach may have started receiving or will soon receive data breach notices about this cybersecurity event in the mail.
Independent Living Systems Class Action Lawsuits
Several class action lawsuits were recently filed in Florida federal court against Independent Living Systems.
The class actions include allegations that ILS stored patient data in a reckless and negligent manner, failed to provide adequate notice, maintained patient data on a “system and network in a condition vulnerable to cyberattack,” and failed to “take necessary” steps to secure private data from such foreseeable risks.
Even though ILS operates in California, no California legal claims have yet been asserted.
The Compromised Data in the ILS Data Breach
According to the ILS data breach notices and class action lawsuits, the following data may have been illegally accessed and stolen:
- First and Last Name
- Medicare identification
- Medicaid identification
- Social Security number
- Taxpayer identification number
- Date of birth
- Food Delivery Information
- Medical information
- Health insurance information
Given the sensitivity of the data potentially exposed, affected individuals may want to take protective steps to secure their personal and health information from further misuse, including monitoring their credit reports, placing a credit freeze with one of the three major credit bureaus, enrolling in fraud alerts, and enabling two-factor authentication when available on personal accounts.
Unfortunately, ILS waited more than eight months from the time of this data breach to inform affected consumers.
The data breach notice provided by Independent Living Systems can be viewed here.
At this time ILS is only offering affected individuals complimentary identity monitoring services through Experian IdentityWorks.
California Privacy Laws Protect You from Data Breach
If you are a California resident and receive a Notice of Data Breach from ILS, you may be entitled to between $100 and $1,000 plus actual damages resulting from the release of your confidential information.
California has unique state laws, including the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA), that compensate individuals whose confidential and sensitive data have been accessed and viewed without authorization.
Participants in data breach lawsuits, like the class actions filed against ILS, can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from occurring again.
Electronic Personal Data is Highly Valued and Doesn’t Degrade
Cybercrimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is at least $20, depending on the type of information according to Privacy Affairs Dark Web Index of 2021.
Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible to change.
Thieves may wait years to capitalize on this type of compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities. “The effects of a health data breach on consumers outlast the initial breach.”[1]
Thus, once you know your data has been disclosed, it is reasonable to be concerned that the illegal access of your data will cause you significant financial losses. The stakes are high as data breach victims are more likely to also be victims of more fraud.[2]
Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Corporations Should Be Held Accountable For Data Breaches
When businesses collect and keep personal data about California consumers, under California law they take on the duty to protect that information and keep it safe from hackers, thieves, and other criminals.
However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[3]
[1] Source: R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021).
[2] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).
[3] Same
