Spectrum Health Lakeland has revealed that a breach, the second the group has suffered in as many months, has exposed the protected health information (PHI) of some of its clients. The previous breach took place at Wolverine Services Group and affected around 60,000 of its patients.
The latest incident involved an unauthorized person obtaining access to an email account due to the response to a phishing email. As was the case with the previous breach, the incident occurred at a business associate.
OC, Inc., a supplier of billing services, found that an unauthorized individual had obtained access to an email account of one of its staff member. The email account was found to contain the PHI of approximately 1,100 Spectrum Health Lakeland clients.
OS Inc. noticed a potential breach on December 21, 2018 after suspicious activity was detected within a staff email account. A third-party computer forensics specialist was hired to assist with the investigation and found no proof to suggest that any PHI in emails and attachments had been accessed or illegally taken. However, it was not possible to eliminate data access or exfiltration with a sufficiently high level of certainty.
Due to this, the breach was determined to be a reportable incident and alerts to patients were necessary. The email account held a restricted amount of patient information such as names, addresses, health services provided, dates of service, diagnoses, and the names of health insurance suppliers.
Spectrum Health Lakeland was contacted in relation to the breach on March 8, 2019 and has been working with technology experts to deduce the full extent and nature of the breach. Spectrum Health Lakeland will go on using the business associate and has been working closely with the company to ensure extra protections are implemented to prevent any additional breaches.
Even though Social Security numbers and other highly sensitive data remain unexposed, the decision was taken to provide impacted people identity theft protection and resolution services free of charge for one year through Experian IdentityWorks.