West Virginia-Based Monongalia Health System Suffers Phishing Attack

West Virginia-based Monongalia Health System (Mon Health) announced that they suffered a phishing attack with their affiliated hospitals Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company also falling prey. The intrusion potentially exposed patient, employee, and contractor personally identifiable information (PII) and protected health information (PHI).

Mon Health discovered the incident on July 28, 2021, after a vendor reported not receiving a payment from Mon Health. Mon Health launched an investigation and found that unauthorized individuals had accessed a contractor’s email account and sent emails attempting to obtain funds from Mon Health via fraudulent wire transfers.

The health system said it immediately secured the contractor’s email account, reset the password, engaged a third-party forensic firm, and notified law enforcement of the incident. Further investigation revealed that the unauthorized individuals had access to multiple Mon Health email accounts between May 10 and August 15, 2021.

“Based on its investigation, Mon Health believes the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information,” 

the announcement stated.

“That said, Mon Health cannot rule out the possibility that emails and attachments in the involved Mon Health email accounts containing patient, provider, employee, and contractor information may have been accessed as a result of this incident.”

Mon Health found that the compromised email accounts contained patient information and information on members of Mon Health’s employee health plan, including: 

  • Medicare Health Insurance Claim numbers, 
  • addresses, 
  • birth dates, 
  • health insurance plan, 
  • member ID numbers, 
  • medical record numbers, 
  • provider names, 
  • dates of service, 
  • claims information, and 
  • medical and clinical treatment information.

The investigation determined that the phishing attack did not involve Mon Health’s electronic health records systems. In addition, affiliated hospitals Mon Health Preston Memorial Hospital and Mon Health Marion Neighborhood Hospital were not involved in the incident.

The health system said it began mailing letters to impacted patients on December 21 and established a call centre to help answer questions about the incident. The phishing attack did not affect clinical operations.

“Patients who receive notice letters are advised to review the statements they receive from their health care providers and health insurance plan. If individuals see services they did not receive, they should contact the provider or health plan immediately,” 

Mon Health warned.

“To help prevent something like this from happening again, Mon Health is continuing to review and enhance its existing security protocols and practices, including the implementation of multi-factor authentication for remote access to its email system.”

Phishing attacks are a common and easy way for threat actors to gain network access, encrypt files, and demand payment with a single click.
Healthcare organizations can prevent phishing attacks by focusing on employee education and cybersecurity training. Under the HIPAA Privacy Rule, covered entities must implement a security awareness training program for their employees.

The most effective way to ensure that employees do not fall victim to a phishing attack is to implement technical safeguards that prevent phishing emails from ever reaching their inboxes. Installing antivirus software, implementing endpoint security, and having advanced web filters are great places to start.