This is the second time in two months that Spectrum Health Lakeland announced the occurrence of a breach exposing some patients’ protected health information (PHI). The last breach happened at business associate Wolverine Services Group affecting approximately 60,000 patients.
The most recent breach involved the access of an email account by an unauthorized person because the owner responded to a phishing email. Just as in the last breach, a business associate was involved.
OS, Inc., a billing services provider, discovered on December 21, 2018 the access of one of its employee’s email account by an unauthorized person. The email account contained the PHI of around 1,100 patients of Spectrum Health Lakeland.
OS Inc. noticed suspicious activity in an employee’s email account and hired a third-party computer forensics specialist to investigate. The investigators did not find any evidence that suggest the access or theft of any PHI in messages and attachments. But, it cannot be ruled out with certainty that there was no data access or exfiltration.
Therefore, the breach was deemed as a reportable incident and required that patients be notified. The patient information contained in the email account included names, addresses, dates of service, health services given, diagnoses, and the medical insurance providers.
OS Inc informed Spectrum Health Lakeland regarding the breach on March 8, 2019 . Technology experts have been working to establish the full magnitude and nature of the breach. Spectrum Health Lakeland will keep on using the business associate but is working on ensuring the implementation of additional protections to stop any more breaches.
Although there is no Social Security number or other highly sensitive data exposed, OS Inc decided to offer free identity theft protection and resolution services to affected persons for one year through Experian IdentityWorks.