Breach Notification, Mismanagement and Cybercrime, Healthcare
InfoSys McCamish Systems provided early warning to 57,000 Bank of America customers of the data breach. Marianne Kolbasuk McGeeHealth Infosec) • June 28, 2024
Image: Infosys McCamish Systems
Insurance software products and services vendor Infosys McCamish Systems has notified approximately 6.1 million people about a ransomware incident in 2023 that may have exposed sensitive data, including Social Security numbers, medical procedures, financial information and biometric information.
reference: Unified SASE: The Third Era of Network Security
In a report Thursday, IMS told the Maine Attorney General that the hack, which was discovered on Nov. 2, 2023, affected approximately 6.08 million people, including 11,866 Maine residents.
IMS, a subsidiary of Atlanta-based Infosys BPM Limited, filed a notice with the U.S. Securities and Exchange Commission on Nov. 3, 2023, reporting a cybersecurity incident related to the “unavailability” of certain IMS systems and applications.
In a notice posted on its website, IMS said it learned that certain IMS systems had been encrypted by ransomware on November 2, 2023.
“That same day, IMS began an investigation with the assistance of third-party cybersecurity experts retained through its external legal counsel to determine the nature and scope of the activity, assist in its containment, and ensure that no unauthorized activity continues,” the statement said.
IMS also said it immediately notified law enforcement. The company said the incident has since been contained and remediated. A cyber forensic investigation determined that the unauthorized activity occurred between October 29 and November 2, 2023.
In February, IMS reported to the Maine Attorney General that the incident affected its client, Bank of America, and about 57,000 deferred benefit plan customers (see ” Hack of software services company affects 57,000 Bank of America customers “).
Since then, IMS has determined the extent of the personal information that was improperly accessed or obtained through an ongoing investigation and “thorough and time-consuming review of the data at issue,” according to the company’s most recent data breach report filed with Maine regulators.
“IMS processes data on behalf of numerous organizations as part of providing enterprise and business marketplace services to its clients,” the breach notification letter states.
“IMS has notified customers whose data was subject to unauthorized access or acquisition. Where IMS is considered a data owner, IMS is in the process of notifying individuals whose personal information was subject to unauthorized access or acquisition.”
The company’s investigation found that the data exposed in the incident included Social Security numbers, dates of birth, medical procedure and record information, biometric data, email addresses and passwords, driver’s license numbers or state ID numbers, financial account information, payment card information, passport numbers, tribal ID numbers, and U.S. military ID numbers.
IMS said it is not aware of any cases in which affected individuals’ personal information has been misused since the incident, but is offering affected individuals 24 months of free identity and credit monitoring.
The company said it was also taking steps to reduce the likelihood of similar incidents occurring in the future. “We continue to make further improvements to strengthen our cybersecurity posture,” IMS said in the breach notice.
Pending litigation
IMS already faces at least two federal class action lawsuits related to the hacking incident, which were consolidated into a single lawsuit in May in the U.S. District Court for the Northern District of Georgia. The lawsuits were filed in March and May by two plaintiffs who were Bank of America customers affected by the data breach.
The consolidated complaint alleges, among other allegations, that IMS was negligent in failing to protect the sensitive personally identifiable information of plaintiffs and class members.
The lawsuit seeks monetary damages and an injunction requiring IMS to improve its cyber practices and controls, including implementing and maintaining a comprehensive information security program.
Attorneys representing IMS in its latest breach report filed with the Maine attorney general did not immediately respond to Information Security Media Group’s request for additional information about the incident, such as how many customers other than Bank of America were affected by the hack.
IMS said last week that its revenue for the year ending Dec. 31, 2023, fell for the first time in eight years, dropping 4.3% to $442 million.
The company said it cost it $30 million to resolve the devastating cyberattack, according to a report by Indian business news outlet LiveMint.