In two months, Spectrum Health Lakeland had announced the occurrence of two breaches that caused the exposure of the protected health information (PHI) of some patients. The first breach involved Wolverine Services Group impacting roughly 60,000 patients.
In the second breach, an unauthorized person got access to an email account because of the account owner responding to a phishing email. Just like in the previous breach, there was a business associate involved, billing services provider OS Inc.
OS Inc. discovered the unauthorized account access on December 21, 2018. The compromised email account hold the PHI of roughly 1,100 Spectrum Health Lakeland patients.
OS Inc. observed something suspicious in the employee’s email account, so it was investigated by a third-party computer forensics professional. The investigators didn’t uncover any information that indicate the PHI access or theft in the email messages and attachments. Nevertheless, data access or exfiltration can’t be ruled out with 100% confidence.
For this reason, the breach was regarded as a reportable breach and necessitated the notification of patients. The patient data included in the compromised email account were names, addresses, health services received, dates of service, diagnoses, and medical insurance provider information.
OS Inc advised Spectrum Health Lakeland concerning the incident on March 8, 2019. Technology experts are looking into the scope and nature of the breach. Despite the incident, Spectrum Health Lakeland will still use OS Inc’s services but additional protections will be implemented to avoid any more breaches.
Though no Social Security number or highly sensitive information was compromised, OS Inc opted to give one year no cost identity theft protection and resolution services to the people affected by the breach through Experian IdentityWorks.