Less than a week after the news of the data breach at Zoll Medical (opens in new tab), it’s been revealed that hackers managed to breach healthcare provider Independent Living Systems (ILS) and steal sensitive data from millions of users in July 2022.
That’s according to a notification (opens in new tab) filed with the Office of the Maine Attorney General (via BleepingComputer) by ILS earlier this week.
Per that notification, the company said that, during the attack, sensitive data on 4.2 million individuals were taken, including full names, Social Security numbers, taxpayer identification numbers, medical information, and health insurance information.
Customers notified
“Through its response efforts, ILS learned that an unauthorized actor obtained access to certain ILS systems between June 30 and July 5, 2022,” the notice reads.
“During that period, some information stored on the ILS network was acquired by the unauthorized actor, and other information was accessible and potentially viewed.”
This means that the stolen data can now potentially be sold on the dark web, used in phishing and social engineering attacks, or in cases of identity theft.
The company said it had already notified the affected individuals, and offered one year free identity protection services, courtesy of Experian.
Some details remain unknown at this time. We don’t know who the threat actor behind the attack is, or whether this was a ransomware attack. We also don’t know how the attackers compromised ILS’ networks – if a user inadvertently shared their login credentials, or if a zero-day vulnerability was abused through malware (opens in new tab).
Cybercriminals usually steal sensitive data while encrypting target endpoints, and then threaten to expose that data on the internet unless the payment is made.
For Jocelyn Houle, Senior Director, Data Governance at Securiti, an attack on a healthcare organization isn’t surprising, but it does highlight the need to make data management, privacy, and security – a top priority.
“AI & ML techniques to automate data management processes are becoming an essential step to mitigating the risk of the exposure of personal health information (PHI).”
“Automating policies by locating, protecting, and managing PHI reduces the risks of a breach, and coupled with controls such as least privilege access and techniques such as data masking, organizations can minimize exposure and damage in case of an attack.”
“Implementing a privacy management software also helps by providing cross-system visibility to identify insider threats and prevent threat actors from accessing healthcare organizations’ networks.”