Phishing Attack Impacts 1,100 Spectrum Health Lakeland Patients

Share this article on:

For the second time in the space of two months, Spectrum Health Lakeland has announced that a breach has exposed the protected health information (PHI) of some of its patients. The previous breach occurred at Wolverine Services Group and impacted around 60,000 of its patients.

The latest incident involved an unauthorized individual gaining access to an email account as the result of a response to a phishing email. As with the last breach, the incident occurred at a business associate.

OC, Inc., a provider of billing services, discovered an unauthorized individual had gained access to an email account of one of its employees. The email account was discovered to contain the PHI of approximately 1,100 Spectrum Health Lakeland patients.

OS Inc. discovered a potential breach on December 21, 2018 after suspicious activity was detected within an employee email account. A third-party computer forensics expert was hired to assist with the investigation and found no evidence to suggest that any PHI in emails and attachments had been accessed or stolen. However, it was not possible to rule out data access or exfiltration with a sufficiently high level of certainty.

Consequently, the breach was determined to be a reportable incident and notifications to patients were warranted. The email account contained a limited amount of patient information such as names, addresses, health services provided, dates of service, diagnoses, and the names of health insurance providers.

Spectrum Health Lakeland was notified about the breach on March 8, 2019 and has been working with technology experts to determine the full extent and nature of the breach. Spectrum Health Lakeland will continue to use the business associate and has been working closely with the company to ensure additional protections are implemented to prevent any further breaches.

Even though Social Security numbers and other highly sensitive information were not exposed, the decision was taken to offer affected individuals identity theft protection and resolution services free of charge for 12 months through Experian IdentityWorks.

Author: HIPAA Journal

Share This Post On