Cyber Incident Victim: Outpatient Services Inc.

In 2018, OS, Inc., a provider of revenue management and billing services to healthcare entities, experienced a cybersecurity incident involving unauthorized access to its systems via a phishing attack. The breach was first disclosed by the company in May 2019, approximately one year after its occurrence. OS, Inc. notified multiple affected clients but did not publicly release a total number of impacted individuals or identify all client organizations in its initial disclosure. The incident compromised patient data managed by OS, Inc. on behalf of its healthcare clients, though the specific types of exposed data were not detailed in available reports.

The breach's scope became clearer through subsequent disclosures by affected clients. Spectrum Health Lakeland reported notifying 1,100 patients from St. Joseph’s hospital. Idaho Department of Health and Welfare disclosed notifications to 2,060 individuals, while Fort Healthcare in Wisconsin notified approximately 19,000 patients. Midwest Medical Center, though not named in OS, Inc.’s original notice, independently reported notifying 8,000 patients. Three additional clients—Tahoe Forest Health District, Sparta Community Hospital, and Sauk Prairie Healthcare—were confirmed as affected by OS, Inc. but had not released notification numbers or public statements at the time of reporting. Media outlets supplemented these disclosures where official figures were unavailable. OS, Inc.’s incident response involved coordinating with clients to facilitate individual notifications, though the company did not publicly elaborate on containment measures, forensic findings, or whether regulatory penalties resulted. The cumulative impact remained incomplete due to pending disclosures from several affected entities.