HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients

For the second time in the space of two months, Spectrum Health Lakeland has announced that a breach has exposed the protected health information (PHI) of some of its patients. The previous breach occurred at Wolverine Services Group and impacted around 60,000 of its patients.

The latest incident involved an unauthorized individual gaining access to an email account as the result of a response to a phishing email. As with the last breach, the incident occurred at a business associate.

OC, Inc., a provider of billing services, discovered an unauthorized individual had gained access to an email account of one of its employees. The email account was discovered to contain the PHI of approximately 1,100 Spectrum Health Lakeland patients.

OS Inc. discovered a potential breach on December 21, 2018 after suspicious activity was detected within an employee email account. A third-party computer forensics expert was hired to assist with the investigation and found no evidence to suggest that any PHI in emails and attachments had been accessed or stolen. However, it was not possible to rule out data access or exfiltration with a sufficiently high level of certainty.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Consequently, the breach was determined to be a reportable incident and notifications to patients were warranted. The email account contained a limited amount of patient information such as names, addresses, health services provided, dates of service, diagnoses, and the names of health insurance providers.

Spectrum Health Lakeland was notified about the breach on March 8, 2019 and has been working with technology experts to determine the full extent and nature of the breach. Spectrum Health Lakeland will continue to use the business associate and has been working closely with the company to ensure additional protections are implemented to prevent any further breaches.

Even though Social Security numbers and other highly sensitive information were not exposed, the decision was taken to offer affected individuals identity theft protection and resolution services free of charge for 12 months through Experian IdentityWorks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.