400,000 Individuals Affected by Email Breach at West Virginia Healthcare Company
Monongalia Health System (Mon Health) this week disclosed a business email compromise (BEC) incident that was the result of unauthorized access to its email system.
Mon Health says it became aware of the intrusion on July 28, when a vendor notified it of a payment that had not come through. An investigation launched into the matter revealed that adversaries likely had unauthorized access to the email system between May 10 and August 15, 2021.
As part of the incident, cybercriminals compromised a Mon Health contractor’s email account and used it to send messages in an attempt to obtain funds through fraudulent wire transfers.
The investigation also revealed that the miscreants managed to compromise other email accounts as well, but Mon Health believes that the purpose of the attack was BEC fraud.
Regardless, during the breach, the attacker likely had access to emails and attachments containing employee, contractor and provider information, as well as patient data, and the organization is currently in the process of notifying the affected individuals.
Potentially compromised data includes names, birth dates, addresses, patient account numbers, Medicare Health Insurance Claim Numbers, medical record numbers, health insurance plan member ID numbers, claims and treatment information, provider names, and dates of service.
The organization informed the U.S. Department of Health and Human Services this week that over 398,000 people might have been affected in the incident.
Mon Health also notes that it has since secured the affected email accounts and reset their passwords, and says that its electronic health records systems were not compromised during the incident. No other affiliated healthcare facilities or hospitals were compromised and their services and operations, as well as those of Mon Health, were not disrupted.
The organization encourages affected patients to review statements received from healthcare providers, to ensure they are not charged for services they did not receive.
“To help prevent something like this from happening again, Mon Health is continuing to review and enhance its existing security protocols and practices, including the implementation of multi-factor authentication for remote access to its email system,” the organization said.
Located in North Central West Virginia, Mon Health operates a network of hospitals, outpatient centers, and integrated physician clinics, including affiliated hospitals Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company.