ST. JOSEPH — Spectrum Health Lakeland announced its second data breach in as many months Wednesday.
The hospital system – which notified thousands of patients two months ago of a potential data breach – is now warning about 1,100 people that patient information may have been accessed in a separate breach that occurred in December 2018.
OS, Inc., a billing services company, confirmed an unauthorized individual accessed an email account of one of their employees. The OS email account contained information related to certain Lakeland patients.
According to a news release sent out Wednesday, Lakeland has been working with technology experts since it was notified of the problem on March 8.
“Spectrum Health (Lakeland) regrets any concern this incident may cause the affected patients and their families, and is working closely with OS, Inc. to prevent this from happening again,” the news release read.
OS is a company that is used by many health care organizations, including Lakeland, to send printed materials to patients. On Dec. 21, 2018, OS discovered the suspicious activity within a single employee’s email account.
OS engaged a third-party security expert to investigate. The expert found no evidence that patient information had been misused as a result of the attack.
However, the expert could not confirm whether information was removed, so the incident has been reported to regulators as a data breach.
The information in question includes patient names and addresses, the type of health services provided, dates of those services, diagnoses and health insurance providers.
Information that wasn’t involved in the breach includes Social Security numbers, driver’s license numbers and other financial information.
Chris Kuhlmann, the compliance and privacy officer at Spectrum Health Lakeland, said no changes have been made at this point for Lakeland’s vendors that were affected by the breaches.
“The security is usually the strongest after one of these events,” Kuhlmann said in a teleconference call Wednesday. “But we have the responsibility to ensure our vendors are mitigating risk. If they’re not, we’ll consult our experts and create a transition plan if necessary.”
Leah Voigt, chief privacy officer for Grand Rapids-based Spectrum Health, said both the mailing and billing vendors that experienced data breaches were in place prior to the Spectrum-Lakeland merger last fall.
When asked how vendors will be chosen for Lakeland in the future, Voigt said there’s no clear answer yet.
“We’re still working out details on the integration,” Voigt said in a teleconference call. “It may depend on the nature of the vendor and service. I can say we won’t have a ‘one size fits’ all approach.”
It was October 2018 when Spectrum Health completed a merger with St. Joseph-based Lakeland Health, which has since become Spectrum Health Lakeland.
Lakeland has arranged for free identity theft protection and resolution services through Experian IdentityWorks for affected patients from the OS breach for 12 months. Following the second data breach, the health system is also recommending patients regularly review account statements and periodically obtain a credit report.
Patients will get a letter in the next two to five days if their information was potentially affected, which will include more information on how to register for Experian IdentityWorks.
Been here before
Spectrum Health Lakeland previously announced in mid-March that there had been a data security issue involving a vendor that may have affected 60,000 patients.
Wolverine Services Group (WSG), a mailing company contracted by Lakeland, was hit by a cyberattack in September 2018.
Once the breach was discovered, Wolverine engaged a third-party security expert to investigate and return its information systems to normal, after a ransomware attack encrypted data.
Because Wolverine sends billing statements to patients, the information in question included patients’ names and addresses, types of health services provided, dates of those services, health insurance providers and amounts due on the patient account.
The security expert found no evidence that patient information was removed from Wolverine’s system or that any patient information had been misused as a result of the attack.
However, the incident was reported to regulators as a data breach. Kuhlmann said the response from the Wolverine breach has been relatively low.
The breach was not done directly through Lakeland, as the health system began an investigation of its own when notified of the problem on Dec. 17, 2018. Lakeland would later announce its findings on the Wolverine breach on March 14.
The timing was unfortunate for the hospital system, as Lakeland learned of the OS breach on March 8 – a week before announcing the Wolverine breach.
Voigt said the second breach was not announced to the public at the time because Lakeland was just beginning its investigation.
“For any individual breach, we handle them on a different timeline and response,” she said. “Under federal law, we have a period of 60 days in which we have to investigate the breach to see which patients were impacted and to make sure we have as much information as possible before telling our patients. It takes time for us to get everything we need.”
Kuhlmann added: “Not only did we have the responsibility to do an investigation, we have found that our vendors sometimes have different definitions on a breach. We still go through that process to determine whether that has happened.”