PHI of Almost 400,000 Monongalia Health Patients Potentially Compromised in BEC and Phishing Attack

Morgantown, WV-based Monongalia Health System has started notifying almost 400,000 patients that some of their protected health information (PHI) may have been obtained by unauthorized individuals in a recent cyberattack.

The security incident came to light when one of its vendors reported not receiving a July 2021 payment that had left Monongalia Health’s accounts. The investigation into the incident confirmed this was a business email compromise (BEC) attack. The attacker had used a phishing email to obtain the credentials for a Monongalia Health contractor’s email account, which was used to send a request to Monongalia Health to have the bank account details for an upcoming payment changed to an account controlled by the attacker.

Monongalia Health said the investigation revealed several Monongalia Health email accounts had been compromised as a result of employees responding to phishing emails, and emails and email attachments in those accounts contained patients’ protected health information. The purpose of the attack appears to have solely been to obtain funds from Monongalia Health through fraudulent wire transfers, rather than to steal sensitive data.

The investigation confirmed several employee email accounts had been accessed by unauthorized individuals between May 10, 2021, and August 15, 2021, and while no evidence of data theft has been identified, unauthorized accessing of patients’ protected health information could not be ruled out. Monongalia Health said the data breach was limited to its email system and electronic medical records were unaffected. A review of the emails and attachments in the compromised accounts revealed they contained the PHI of patients of Monongalia County General Hospital and Stonewall Jackson Memorial Hospital. The PHI of patients of other Monongalia Health hospitals does not appear to have been compromised.

The exposed PHI included names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information, status as a current or former Mon Health patient, and Medicare health insurance claim numbers, which could contain Social Security numbers.

Monongalia Health said it will be reviewing and enhancing its existing security protocols and practices and will implement multi-factor authentication for remote access to its email system. The HHS’ Office for Civil Rights Breach Portal indicates up to 398,164 individuals have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.