West Virginia Healthcare Breach Traced to Phishing

healthcare-data-breachMonongalia Health System in West Virginia has disclosed a data breach that exposed sensitive patient and employee information.

“Monongalia Health System, Inc., and its affiliated hospitals, Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company (collectively, ‘Mon Health’), announced that it recently investigated and addressed an email phishing incident, and is now notifying individuals, including patients, providers, employees, and contractors, whose information may have been involved,” the company said in a press release.

The organization says an attacker gained access to internal email accounts, apparently with the intention of conducting business email compromise (BEC) attacks.

“On October 29, 2021, Mon Health concluded its investigation of an email phishing incident which may have resulted in unauthorized access to emails and attachments in several Mon Health email accounts,” the company stated. “Mon Health first became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation, through which it determined that unauthorized individuals had gained access to a Mon Health contractor's email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers.”

Mon Health doesn’t believe the attacker’s primary goal was to obtain patient information, but the company is disclosing the incident because the attacker did have access to this information.

“Mon Health cannot rule out the possibility that emails and attachments in the involved Mon Health email accounts containing patient, provider, employee, and contractor information may have been accessed as a result of this incident,” the company says. Thus, out of an abundance of caution, Mon Health conducted a comprehensive search of the contents of those email accounts to identify the information they contained. Through this search, Mon Health identified emails and attachments that contained the following information relating to patients and members of Mon Health's employee health plan: names, Medicare Health Insurance Claim Numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient.”

New-school security awareness training can enable your employees to recognize social engineering tactics so they can thwart phishing.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews