PHI of Nearly 400,000 Monongalia Health Patients Likely Exposed in BEC and Phishing Attack

Monongalia Health System in Morgantown, WV has begun informing approximately 400,000 individuals that unauthorized people may have acquired their protected health information (PHI) in a recent cyberattack.

Monongalia Health System found out about the security incident because one of its providers stated that it did not get a July 2021 payment from Monongalia Health’s accounts. As per the investigation of the occurrence, it was established there seemed to be a business email compromise (BEC) attack. The attacker had employed a phishing email to get the information for the email account associated with a Monongalia Health contractor. Then, the threat actor employed it to mail a request to Monongalia Health to replace the bank account data for an upcoming payment with an account managed by the attacker.

Monongalia Health mentioned that the investigation affirmed the breach of several Monongalia Health email accounts because of workers replying to phishing emails. The emails and file attachments in those accounts included patients’ protected health information. It looks like that the objective of the attacker is only to acquire cash from Monongalia Health via bogus wire transfers, instead of stealing sensitive information.

The investigation established that unauthorized individuals accessed a number of employee email accounts between May 10, 2021, and August 15, 2021, and though there’s no proof of data theft determined, unauthorized accessing of patients’ PHI cannot be eliminated. Monongalia Health mentioned the data breach just impacted its email system. Its electronic medical records were not affected. An analysis of the email messages and attached files in the breached accounts showed they comprised the PHI of Stonewall Jackson Memorial Hospital patients and Monongalia County General Hospital patients. The sensitive data of patients of other Monongalia Health hospitals don’t seem to have been affected.

The compromised PHI contained names, addresses, birth dates, medical insurance plan member ID numbers, patient account numbers, health record numbers, names of provider, dates of service, claims data, medical and clinical treatment details, standing as a current or past Mon Health patient, and Medicare health insurance claim numbers, which may have Social Security numbers.

Monongalia Health stated it will be auditing and improving its present security practices and will employ multi-factor authentication for users logging into its email system remotely. The HHS’ Office for Civil Rights Breach Website exhibits that the breach impacted around 398,164 people.