Infosys McCamish Systems, an insurance software product and services vendor, recently sent out notifications to nearly 6.1 million individuals regarding a ransomware incident that took place in 2023. The breach potentially exposed sensitive data such as Social Security numbers, medical treatment records, financial information, and biometric data. The incident was discovered on November 2, 2023, and affected around 6.08 million individuals, including 11,866 residents of Maine.
IMS, a subsidiary of Atlanta-based InfoSys BPM Limited, reported the cybersecurity breach to the U.S. Securities and Exchange Commission on November 3, 2023. According to the company, certain IMS systems were encrypted by ransomware, leading to a comprehensive investigation with the help of third-party cybersecurity experts. The unauthorized activity took place between October 29 and November 2, 2023, and law enforcement was promptly notified.
Following a cyber forensic investigation, it was revealed that the breach impacted data including Social Security numbers, birthdates, medical records, biometric information, email addresses, driver’s license numbers, financial account details, payment card information, passport numbers, tribal ID numbers, and U.S. military ID numbers. IMS has confirmed that there have been no instances of fraudulent use of the compromised data thus far.
In response to the breach, IMS is providing affected individuals with 24 months of complimentary identity and credit monitoring services. The company is also taking steps to enhance its cybersecurity measures to prevent similar incidents in the future. Despite these actions, IMS is facing litigation in the form of federal class action lawsuits consolidated into one case filed in the U.S. District Court for the Northern District of Georgia.
The lawsuits allege negligence on the part of IMS in safeguarding sensitive personal information and seek financial damages as well as injunctive relief to improve cybersecurity practices. The incident has had financial implications for IMS, with the company reporting a revenue decline for the first time in eight years, amounting to $442 million for the year ended December 31, 2023. The cost of resolving the cyberattack was reported to be $30 million.
An attorney representing IMS in the breach report to Maine’s attorney general has not provided additional details on the incident, including the impact on other clients besides Bank of America. IMS continues its efforts to address the repercussions of the breach and strengthen its cybersecurity posture to prevent future incidents.