What Long-Term Care Facilities Should Know About the Independent Living Systems Data Breach

Long-term care has quietly become one of the most targeted sectors in cybersecurity. In the first quarter of 2025 alone, more than a half-dozen nursing homes and rehabilitation centers reported major hacking incidents affecting more than 130,000 individuals.

The consequences of a breach in this environment are uniquely serious. The residents these facilities serve are among the most vulnerable populations imaginable, and the data they hold is among the most sensitive. A recent high-profile case involving Independent Living Systems offers a sobering look at what's at stake.

What Happened in the Independent Living Systems Data Breach?

Independent Living Systems (ILS), a Florida-based provider of long-term support services to Medicare and Medicaid populations, discovered in July 2022 that an unauthorized party had accessed its network and acquired sensitive files. The breach ultimately affected more than 4 million individuals — making it one of the largest healthcare data breaches on record. 

What Was Stolen

The stolen information contained: 

•  Names 
•  Social Security numbers  
•  Taxpayer identification numbers  
• Medical information 
• Health insurance data  

 Even worse, affected individuals weren't notified until March 2023, roughly eight months after the breach was discovered.

The Aftermath 

The legal fallout of the original cyberattacks was significant. Multiple class action lawsuits were filed, consolidated in federal court, and eventually settled for $14 million. Plaintiffs alleged that ILS had failed to implement reasonable cybersecurity safeguards to protect their information. In addition to the settlement fund, ILS reportedly invested more than $2 million in security improvements after the fact — money that would have been far better spent before the breach occurred.

I get it — it’s difficult to prioritize cybersecurity when budgets are stretched thin, and residents are always going to be top priority. But the financial damage from a cybersecurity failure can be so catastrophic that it puts prevention costs into perspective.

Why Long-Term Care Is a Growing Target for Cybercriminals

I touched on this at the top of the blog — unfortunately, the ILS breach isn't an isolated incident. 
This assisted living industry is particularly attractive to cybercriminals because long-term care facilities hold exceptionally high-value data all in one place.

Historically, technology adoption and cybersecurity maturity in this space have lagged behind the broader healthcare industry. 

What’s Uniquely Attractive About Healthcare Data?

Medical records are among the most valuable commodities on the black market — not just because they contain personally identifiable information, but because a single record can be leveraged for identity theft, insurance fraud, and prescription drug fraud all at once. 

That combination of utility makes health data worth far more to a criminal than a standalone financial record.

What’s Uniquely Attractive About Long-Term Care Financials?

Long-term care facilities carry an additional exposure that other healthcare settings don't always share: many of them manage resident funds directly. 

That means attackers who gain access to facility systems may have a pathway to financial accounts belonging to some of the most vulnerable individuals imaginable.

What Complicates Long-Term Care Cybersecurity?

It’s easy to focus on cybersecurity as a set of tools and forget about human behavior. Unfortunately, in addition to having underfunded cybersecurity, the long-term care industry has also earned a reputation for paying ransoms when operations are disrupted. That means cybercriminals get more predictable payouts with these types of targets. 

For this and other reasons, cybersecurity professionals and organizations like the FBI would strongly advise against paying a ransom in response to ransomware attacks. 

Complicating matters further is the sheer variety of devices now connected to care facility networks — everything from electronic health record systems to nurse call systems, all the way down to personal devices used by residents. Each one is a potential entry point.

The Low-Tech Ways Long-Term Care Facilities Are Often Attacked

The most common way a long-term care facility gets compromised actually isn’t that sophisticated. 

An employee opens a malicious email and clicks a link that exposes their login credentials. From there, an attacker can move through a network quietly — sometimes for months — before anyone notices.

This is worth sitting with for a moment. No amount of advanced security infrastructure fully compensates for a staff member who doesn't recognize a phishing attempt. In an environment with high turnover and staff stretched thin across patient care responsibilities, cybersecurity awareness training often falls to the bottom of the priority list. That's exactly the gap attackers exploit.

HIPAA Cybersecurity Requirements for Long-Term Care

Long-term care facilities that handle protected health information (PHI) are subject to HIPAA's Security Rule, which requires covered entities to put in place physical, administrative, and technical safeguards to protect patient data. That means things like access controls, audit logs, encryption, and documented security policies aren't optional — they're required.

The ILS case illustrates what happens when those requirements aren't met. The plaintiffs alleged not just that a breach occurred, but that the organization had failed to implement reasonable and appropriate safeguards. That's a meaningful legal distinction. 

A breach alone doesn't necessarily mean HIPAA liability — but a breach combined with inadequate protections is a different story.

Healthcare Cybersecurity Recommendations for Assisted Living and Long-Term Care Facilities

Every organization is different, and at a different place in its cybersecurity posture. However, this is where most long-term care facilities need to focus first:

1. Start With a Security Assessment

You can't protect what you don't know about. A thorough assessment of your current environment — devices, access points, user permissions, data flows — is the foundation of any meaningful security program. Many facilities are surprised by what they find.

This is often where an outsider’s perspective is helpful. When we partner with organizations, it’s never to show up their own IT team. We understand that many internal teams are too busy putting out fires to constantly be on the lookout for new threats.

2. Take Phishing Seriously

Given that email-based attacks remain the leading vector for credential theft, regular staff training isn't a nice-to-have. It should be a recurring part of onboarding and ongoing operations. This includes clinical staff, not just IT or administrative employees.

That’s why it’s included in our cybersecurity checklist — which we’ve recently updated. 
To be clear, when I talk about security awareness training, I’m not just talking about sending out a memo now and then, reminding staff not to click on suspicious links. I’m talking about engaging, relevant, and ongoing training with simulated phishing attacks to measure progress. 

Staff need to be shown how sophisticated phishing scams might look, with plenty of opportunities to practice identifying them. 

3. Tighten Access Controls

Not everyone on your staff needs access to everything! 

Role-based access controls limit the damage an attacker can do with a single compromised account — and they're a core HIPAA requirement.

4. Have an Incident Response Plan

One of the compounding factors in the ILS breach was the length of time between discovery and notification. A documented incident response plan helps your team move faster and more decisively when something goes wrong, which matters both for containing damage and for demonstrating good faith in any subsequent regulatory review.

Unfortunately, only ~55% of companies have a fully documented incident response plan. If you’re operating without one, or it’s been years since anyone looked at it, having a solid plan in place — that you test annually — should be a priority. 

5. Don't Overlook Connected Devices

Medical devices, building systems, networked printers, and any other devices that touch your network all represent potential vulnerabilities. Segment your network where possible so that a compromised device doesn't become a pathway to your most sensitive systems.

6. Work With a Partner Who Understands Healthcare

General IT support and healthcare-specific cybersecurity are not the same thing. HIPAA compliance requirements, the sensitivity of PHI, and the operational constraints of a care environment all require a partner who has navigated this space before.

What’s more, especially when budgets and time are tight, it’s helpful to have a partner that will prioritize their recommendations so you can focus your resources where they’re most effective. 
That’s how we approach cybersecurity — not just compiling lists of to-dos, but working with your teams and your budgets to help you make practical, smart decisions. 

Getting a Quick (and Free!) Cybersecurity Health Check 

The best business technology decisions always start with clarity — pinpointing where you have gaps, what’s the best way to address them, and where you should start. 

No online diagnostic can entirely replace consulting with a Chief Information Security Officer (CISO), but our cybersecurity experts did design one that can help you see where you stand — plus get quick tips on where improvements would make the biggest impact.

Click the link below to access it!