Monongalia Health System in West Virginia has disclosed a data breach that exposed sensitive patient and employee information.
“Monongalia Health System, Inc., and its affiliated hospitals, Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company (collectively, ‘Mon Health’), announced that it recently investigated and addressed an email phishing incident, and is now notifying individuals, including patients, providers, employees, and contractors, whose information may have been involved,” the company said in a press release.
The organization says an attacker gained access to internal email accounts, apparently with the intention of conducting business email compromise (BEC) attacks.
“On October 29, 2021, Mon Health concluded its investigation of an email phishing incident which may have resulted in unauthorized access to emails and attachments in several Mon Health email accounts,” the company stated. “Mon Health first became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation, through which it determined that unauthorized individuals had gained access to a Mon Health contractor's email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers.”
Mon Health doesn’t believe the attacker’s primary goal was to obtain patient information, but the company is disclosing the incident because the attacker did have access to this information.
“Mon Health cannot rule out the possibility that emails and attachments in the involved Mon Health email accounts containing patient, provider, employee, and contractor information may have been accessed as a result of this incident,” the company says. Thus, out of an abundance of caution, Mon Health conducted a comprehensive search of the contents of those email accounts to identify the information they contained. Through this search, Mon Health identified emails and attachments that contained the following information relating to patients and members of Mon Health's employee health plan: names, Medicare Health Insurance Claim Numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient.”
New-school security awareness training can enable your employees to recognize social engineering tactics so they can thwart phishing.