Second Data Security Incident Affects Spectrum Health Lakeland Patients
Spectrum Health Lakeland has notified 1,100 patients that their PHI may have been compromised in a data security incident. This is the second data breach Lakeland has experienced in as many months.
The previous breach occurred through Lakeland’s business associate, Wolverine Services Group. That incident impacted around 60,000 Lakeland patients and up to 600,000 individuals overall.
Much like the previous incident, this breach occurred at a business associate. Lakeland’s patient data was compromised following a successful phishing campaign launched against OS, Lakeland’s billing services provider.
The email account compromised in the phishing attack contained the PHI of approximately 1,100 Lakeland patients. The breach was discovered on December 21, 2018, after an employee noticed suspicious activity on the account. Steps were taken to revoke the unauthorised individual’s access to the email account and secure the data.
A third-party computer forensics expert was hired to assist with the investigation. Investigators did not find any evidence that the hacker had accessed or downloaded patient PHI. However, in emails and attachments had been accessed or stolen. However, data theft could not be definitively ruled out.
The investigators determined that account contained a limited amount of patient information such as names, addresses, health services provided, dates of service, diagnoses, and the names of health insurance providers.
OS informed Spectrum Health Lakeland of the breach on March 8, 2019. They have since stated that they have been working with technology experts to determine the full extent and nature of the breach. Spectrum Health Lakeland will continue to use the business associate and has been working closely with the company to ensure additional protections are implemented to prevent any further breaches.
As an act of good faith, affected individuals have been offered identity theft protection and resolution services free of charge for 12 months through Experian IdentityWorks.