A PREVENTABLE DISASTER

Infosys McCamish Systems (IMS) holds the keys to the kingdom. As a major service provider for the insurance industry, it was entrusted with the most sensitive data imaginable for millions of people. In return, the company made a public promise on its own website: “Infosys adopts reasonable and appropriate security controls… to safeguard your Personal Information.”

That promise was broken. According to legal filings, between October 29, 2023, and November 2, 2023, cybercriminals infiltrated IMS’s systems. The company was targeted for the same reason a bank is: it held a vault of highly valuable assets. Except in this case, the assets were your identity, your medical history, and your financial future.

The lawsuit claims this wasn’t a sophisticated, once-in-a-generation hack. It was a “direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures.” The company knew, or should have known, that software vendors are prime targets. The FBI has issued warnings. Countless other corporations have fallen victim. Yet IMS allegedly left the door unlocked, with millions of lives stored in unencrypted files, ready for the taking.

THE NON-FINANCIAL LEDGER: MORE THAN DATA, A BETRAYAL

The corporate ledger only shows profits and losses in dollars. It doesn’t have a column for dignity, privacy, or peace of mind. The real harm from this breach isn’t just about fraudulent credit card charges; it’s about the theft of self.

The information stolen by criminals forms the very foundation of modern identity. Social Security numbers, medical records, biometric data: these things are permanent. They cannot be cancelled and reissued like a credit card. The victims of this breach now face a “continued and certainly increased risk” that will follow them for the rest of their lives. Every loan application, every new job, every interaction with the government is now tainted with the possibility of fraud.

The company’s delayed and vague notification letter, sent around June 27, 2024, only compounded the injury. For months, 6 million people were in the dark while their stolen identities were potentially being bought and sold. This isn’t just a data breach; it’s a profound violation of trust.

LEGAL RECEIPTS: A TEXTBOOK SECURITY FAILURE

The legal complaint against IMS reads like a checklist of what not to do. It details a “reckless manner” of data handling, where information was left “in a condition vulnerable to cyberattacks.” The breach itself was a classic ransomware attack, where criminals not only lock up systems but also exfiltrate, or steal, the data before encrypting it. This “encryption+exfiltration” tactic is common, and experts warn companies to assume data has been stolen in any ransomware incident.

The notice IMS sent to victims admits that an investigation found “data was subject to unauthorized access and acquisition.” But it omits the root cause, the specific vulnerabilities exploited, and what concrete steps were taken to prevent a repeat disaster.

The implication is clear: the tools to prevent this were readily available. They are industry-standard practices. The lawsuit argues that IMS’s failure to use them was not just an oversight, but a negligent disregard for the rights of the millions who trusted them.

SOCIETAL IMPACT: THE ‘GOLD STANDARD’ OF THEFT

The consequences of this breach ripple outward, impacting not just individuals, but societal trust. The complaint highlights the unique danger of stolen Social Security numbers, which some courts have called the “gold standard” for identity theft. Unlike other identifiers, an SSN is virtually permanent. With it, a thief can open new financial accounts, file fraudulent tax returns, obtain government benefits, and even give false information to the police.

The Social Security Administration itself warns: “Someone illegally using your Social Security number and assuming your identity can cause a lot of problems.” Victims are often not believed, forced into a bureaucratic nightmare to prove their own identity against a thief’s actions.

The theft of Protected Health Information (PHI) is a deep violation of privacy, exposing sensitive medical treatment and record information. This data can be used for sophisticated fraud or extortion, turning a person’s health into a weapon against them. For the 6 million victims, the private has been made public, and the cost will be paid not by the corporation that failed them, but by the people whose lives are now an open book for criminals.

WHAT NOW? YOUR DATA IS GONE. DON’T LET THEM FORGET IT.

The damage is done. The data is out there. An offer of 24 months of credit monitoring is a band-aid on a bullet wound. Real accountability requires sustained pressure. While the legal system slowly churns, there are actions we can take.

THE WATCHLIST

• Corporate Leadership: The Board and Executives of Infosys McCamish Systems, LLC, and its parent company, Infosys. Their decisions, or lack thereof, allegedly created the conditions for this disaster.
• Regulatory Bodies: The Federal Trade Commission (FTC) and the FBI are cited in the complaint. Watch them for any public action or penalties against the company.
• The Courts: The case is Deana Lindley v. Infosys McCamish Systems, LLC, filed in the U.S. District Court for the Northern District of Georgia, Case No. 1:24-cv-03024-JPB. Follow its progress.

THE RESISTANCE

Demanding justice can’t just happen in a courtroom. It requires organized, grassroots power.

• Mutual Aid: If you were a victim, share information and resources with others. Collective knowledge is a defense against corporate obfuscation.
• Local Organizing: Pressure the 34+ insurance companies that used IMS as a vendor. They chose to give your data to this company. Demand they answer for that decision and provide real, lifetime protection for their customers.
• Demand Better Laws: This breach is another piece of evidence that we need federal data privacy laws with teeth. We need mandatory encryption standards and severe, non-negotiable financial penalties for corporations that treat our personal data as a disposable asset.