Share this article on:
West Virginia-based Monongalia Health System (Mon Health) has announced it was the victim of a cyberattack that has exposed patient, employee, and contractor data. This is the second major data breach to be reported by the health system in the past 12 months. Mon Health has confirmed that these two data breaches are separate incidents, although it is unclear at this stage if they are in any way related.
The previous data breach was the result of a phishing attack that saw several employee email accounts compromised. Mon Health announced the breach on December 21, 2021, and said the security breach was discovered in July 2021 when a vendor reported not receiving a payment. The attackers used the compromised email accounts to divert a wire transfer. The investigation into the breach determined the email accounts were compromised between May 10, 2021, and August 15, 2021, and they contained the protected health information of 398,164 patients. In this incident, IT systems were not disrupted.
According to the latest Mon Health press release, the latest breach was discovered on December 30, 2021, 9 days after the announcement was made about the previous data breach. Mon Health detected unusual activity in its IT environment and took prompt action to secure its systems. IT systems were taken offline, downtime procedures were initiated, an organization-wide password reset was performed, and a third-party forensics firm was engaged to investigate the breach. This attack resulted in disruption to its IT systems.
Mon Health said its investigation determined that unauthorized individuals accessed IT systems between December 8, 2021, and December 19, 2021, that contained the protected health information of patients and members of its employee health plan, and contractor information. Mon Health said the incident also affected its affiliated hospitals: Monongalia County General Hospital Company, Stonewall Jackson Memorial Hospital Company, and Preston Memorial Hospital Corporation.
Mon Health was unable to rule out unauthorized access to files containing names, addresses, Social Security numbers, Medicare Health Insurance Claim Numbers, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or the status as a current or former Mon Health patient or member of Mon Health’s employee health plan.
Mon Health said it has since hardened network security and will continue to implement additional safeguards and technical security measures to better protect and monitor its systems. Notification letters started to be sent to affected individuals on February 28, 2022.
Update: The data breach has been reported to the HHS’ Office for Civil Rights as affecting 492,861 individuals.