[BreachExchange] Spectrum Health Lakeland announces data breach

Destry Winant destry at riskbasedsecurity.com
Fri Mar 15 08:59:55 EDT 2019


Spectrum Health Lakeland is in the process of notifying about 60,000
patients about a data security issue involving a vendor, the health
system announced Thursday.

Wolverine Services Group (WSG), a mailing company contracted by
Spectrum Health Lakeland, was hit by the cyberattack.

Loren Hamel, president of Spectrum Health Lakeland, said the breach
was not done directly through Spectrum Health Lakeland.

“We take the data and security of those entrusted in our care
incredibly seriously,” Hamel told The Herald-Palladium on Thursday.
“Every day we are working to make sure that data is protected. It
deeply saddens us to share with our friends and neighbors that their
data was encrypted and unencrypted.”

Once the breach was discovered, Wolverine engaged a third-party
security expert to investigate and return its information systems to
normal, after a ransomware attack encrypted data.

The breach in question involved the Lakeland portion of Spectrum
Health, not the wider Spectrum company.

According to a news release from Spectrum Health Lakeland, the
security expert found no evidence that patient information was removed
from WSG’s system or that any patient information had been misused as
a result of the attack.

The incident has been reported to regulators as a data breach.

Spectrum Health Lakeland has been working with its own technology
experts since it was notified of the problem last Dec. 17. Hamel said
the breach occurred in September, but it was several months before the
breach was discovered.

Hamel said it often takes awhile to discover such breaches.

“We got the clean data back from (WSG) within the last few days,”
Hamel said. “To the best of everybody’s forensic evidence, the data
was encrypted and then unencrypted. No data that we know of has been
stolen. Out of caution we wanted to tell anyone who was part of that
data breach.”

Because Wolverine sends billing statements to patients, the
information in question includes patients’ names and addresses, types
of health services provided, dates of those services, health insurance
providers and amounts due on the patient account.

Wolverine also told the hospital system that Social Security numbers
may also have been involved in the breach.

“Every significant company in the country encounters millions or
billions attempts at cyber security breaches every year,” Hamel said.
“The reality is occasionally one gets through. This one didn’t get
through Spectrum Health Lakeland’s firewall, but a vendor.”

Wolverine has arranged for free credit monitoring and financial
investigative services through AllClear ID services for affected
patients for 12 months, and is recommending that patients regularly
review account statements and obtain a free credit report.

Patients will also get a letter in the next seven to 10 days if their
information was possibly affected.

“I’m a patient at Spectrum Health Lakeland. I will likely be getting a
letter from myself on this data breach,” Hamel said. “We care for our
friends and neighbors and this is obviously important to us because
we’re committed to doing everything we can to take good care of each

Other health care systems in Michigan also were affected by the data
breach through Wolverine.

It was last October when Grand Rapids-based Spectrum Health completed
a merger with St. Joseph-based Lakeland Health, which then became
known as Spectrum Health Lakeland.

More information about the BreachExchange mailing list