PHI of About 400,000 Monongalia Health Patients Possibly Compromised in BEC and Phishing Attack

Monongalia Health System based in Morgantown, WV has started alerting about 400,000 patients that unauthorized individuals may have obtained some of their protected health information (PHI) in a recent cyberattack.

Monongalia Health System discovered the security incident only when one of its vendors reported not receiving a July 2021 payment that had left Monongalia Health’s accounts. Based on the investigation of the incident, it was confirmed there was a business email compromise (BEC) attack. The attacker had utilized a phishing email to acquire the credentials for the email account of a Monongalia Health contractor. Then, the threat actor used it to send a request to Monongalia Health to change the bank account data for an upcoming payment to an account used by the attacker.

Monongalia Health mentioned that the investigation confirmed the compromise of several Monongalia Health email accounts as a result of staff members responding to phishing emails. The emails and attached files in those accounts comprised patients’ protected health information. It seems that the intent of the attack is just to get money from Monongalia Health by means of fake wire transfers, and not to steal sensitive information.

The investigation affirmed that unauthorized people accessed a number of employee email accounts from May 10, 2021, to August 15, 2021, and although there is no evidence of data theft identified, unauthorized accessing of patients’ PHI could not be ignored. Monongalia Health stated the data breach only affected its email system. Its electronic medical records were not impacted. An audit of the email messages and file attachments in the compromised accounts revealed they included the PHI of Monongalia County General Hospital patients and Stonewall Jackson Memorial Hospital patients. There are no other reports received that indicate the PHI of patients of other Monongalia Health hospitals were compromised.

The breached PHI comprised names, addresses, dates of birth, health insurance plan member ID numbers, patient account numbers, medical record numbers, provider names, dates of service, claims data, medical and clinical treatment details, status as a current or former Mon Health patient, and Medicare health insurance claim numbers, which can include Social Security numbers.

Monongalia Health stated it will be reviewing and boosting its present security protocols and will set up multi-factor authentication for those accessing its email system remotely. The HHS’ Office for Civil Rights Breach Portal shows that the breach affected up to 398,164 individuals.