On March 25, 2022, Lutheran Social Services of Illinois (LSSI) notified HHS of a breach affecting 1,000 people. The incident, still under investigation by HHS, was coded as a “Hacking/IT Incident” involving data on the network server.
On January 25, 2023, LSSI notified the Maine Attorney Genera’s Office a breach affecting a total of 184,183 people.
In its newest report, LSSI reports that on January 27, 2022, they discovered they had been hit with a ransomware attack. Almost one year later, on December 28, 2022, they discovered that “certain personal information maintained on our systems was potentially accessed by an unauthorized party from December 31, 2021 to January 27, 2022.”
Based on the timeframe and the fact that this was a ransomware attack, the March 2022 report to HHS was probably just a first report on the incident, although that is somewhat speculative on DataBreaches’ part.
But is the newest report to Maine of 184,183 affected only about patients/clients, or does it include others who would not be reportable under HIPAA? It’s unclear because Maine requires entities report the total number of people affected, whereas HHS only reports the number of patients affected.
LSSI’s notification does not explain why it took them a year from initial event/discovery to figure out who was affected and whom to notify.