The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Independent Living Systems Sued Over 4 Million-Record Data Breach

Posted By on Mar 21, 2023

It has only been a few days since the Miami-based healthcare administration and managed care solutions provider, Independent Living Systems (ILS), issued notification letters about a data breach affecting 4,226,508 individuals but a lawsuit has already been filed in response to the data breach. Since this article was published, at least 5 lawsuits have now been filed against ILS over the data breach – the largest healthcare data breach to be reported so far this year.

ILS Identified the breach in July 2022 and determined unauthorized individuals had access to its network between June 30, 2022, and July 5, 2022. During that time they exfiltrated files containing sensitive patient data, including names, contact information, Social Security numbers, Medicare/Medicaid IDs, health information, and health insurance information. ILS posted a breach notice on its website in September 2022 and informed the HHS’ Office for Civil Rights, using the common placeholder of 501 records until the full extent of the breach was known. In its notification letters, ILS said it was not possible to send individual notifications until March 14, 2023, due to time-consuming review and validation processes. Affected individuals were offered complimentary credit monitoring services and security measures have been enhanced to prevent further data breaches.

One of the first lawsuits was filed by Joseph G. Sauder of the law firm Sauder Schelkopf, LLC, in the U.S. District Court for the Southern District of Florida on behalf of plaintiffs Eddie and Herminia Basulto and similarly situated individuals. The lawsuit alleges ILS failed to adequately protect and safeguard patient data, then waited 8 months to issue individual notifications to affected individuals, even though highly sensitive patient data was known to have been compromised. The lawsuit claims that ILS was aware of the high risk of cyberattacks yet failed to maintain reasonable and appropriate data privacy and security measures and alleges negligence, negligence per se, unjust enrichment, and a violation of the Florida Deceptive and Unfair Trade Practices Act.

The lawsuit claims the plaintiffs and class members suffered injury and damages including a substantially increased risk of identity theft and medical identity theft, breach of confidentiality of their personal and health information, deprivation of the value of their personal and health information, and they have lost time and money protecting against identity theft and fraud and will have to continue to invest time and money to protect their identities in the days, weeks, and months to come. The lawsuit seeks class action status, a jury trial, declaratory relief, injunctive relief, monetary damages, statutory damages, punitive damages, equitable relief, and all other relief authorized by law.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Lawsuits have also been filed by The Emerson Firm, PLLC, and R B Brown III PA/Chestnut Cambronne/The Lyon Firm which make similar allegations and further lawsuits will undoubtedly be filed considering the magnitude of the data breach. If the lawsuits are granted standing and survive motions to dismiss, they will most likely be consolidated into a single lawsuit.

It should be noted that it is now common for multiple lawsuits to be filed in response to healthcare data breaches, especially data breaches that affect tens of thousands of individuals or more. While lawsuits often claim there has been lax security because a data breach has occurred, that is not necessarily the case. Further, in order for a data breach lawsuit to succeed, there must have been an injury. The courts often dismiss lawsuits that solely allege a future risk of harm from the exposure of personal data. For example, in 2021, the U.S. Supreme Court ruled in TransUnion LLC v. Ramirez that the mere risk of future harm is insufficient to confer Article III standing in a suit for damages.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist