West Virginia-Based Monongalia Health System Suffers Phishing Attack

December 23, 2021 - West Virginia-based Monongalia Health System (Mon Health), along with its affiliated hospitals Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company announced that it suffered a phishing attack that potentially exposed patient, employee, and contractor personally identifiable information (PII) and protected health information (PHI).

Mon Health discovered the incident on July 28, 2021, after a vendor reported not receiving a payment from Mon Health. Mon Health launched an investigation and discovered that unauthorized individuals had accessed a contractor’s email account and sent emails attempting to obtain funds from Mon Health via fraudulent wire transfers.

The health system said it immediately secured the contractor’s email account, reset the password, engaged a third-party forensic firm, and notified law enforcement of the incident. Further investigation revealed that the unauthorized individuals had access to multiple Mon Health email accounts between May 10 and August 15, 2021.

“Based on its investigation, Mon Health believes the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information,” the announcement stated.

“That said, Mon Health cannot rule out the possibility that emails and attachments in the involved Mon Health email accounts containing patient, provider, employee, and contractor information may have been accessed as a result of this incident.”

Mon Health found that the compromised email accounts contained patient information and information pertaining to members of Mon Health’s employee health plan, including Medicare Health Insurance Claim numbers, addresses, birth dates, health insurance plan member ID numbers, medical record numbers, provider names, dates of service, claims information, and medical and clinical treatment information.

The investigation determined that the phishing attack did not involve Mon Health’s electronic health records systems. In addition, affiliated hospitals Mon Health Preston Memorial Hospital and Mon Health Marion Neighborhood Hospital were not involved in the incident.

The health system said it began mailing letters to impacted patients on December 21 and established a call center to help answer questions about the incident. The phishing attack did not impact clinical operations.

“Patients who receive notice letters are advised to review the statements they receive from their health care providers and health insurance plan. If individuals see services they did not receive, they should contact the provider or health plan immediately,” Mon Health warned.

“To help prevent something like this from happening again, Mon Health is continuing to review and enhance its existing security protocols and practices, including the implementation of multi-factor authentication for remote access to its email system.”

Phishing attacks are a common and easy way for threat actors to gain network access, encrypt files, and demand payment with a single click.

Healthcare organizations can prevent phishing attacks by focusing on employee education and cybersecurity training. Under the HIPAA Privacy Rule, covered entities are required to implement a security awareness training program for their employees. However, phishing attacks remain one of the most common attack vectors.

The most effective way to make sure that employees do not fall victim to a phishing attack is to implement technical safeguards that prevent phishing emails from ever reaching their inboxes. Installing antivirus software, implementing endpoint security, and having advanced web filters are great places to start.