A data breach occurred at a West Virginia hospital system as a result of a phishing assault, which provided hackers access to multiple email accounts. From May 10 to August 15, hackers gained access to various email accounts at Monongalia Health System, which operates Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company. These accounts held sensitive data from patients, providers, employees, and contractors.
Mon Health completed its investigation into an email phishing incident that may have resulted in unauthorized access to emails and attachments in numerous Mon Health email accounts on October 29, 2021. Mon Health initially became aware of the situation on July 28, 2021, when a vendor reported not getting payment from Mon Health. In response, Mon Health initiated an investigation, which revealed that unauthorized individuals got access to a Mon Health contractor's email account and sent emails from the account in an attempt to collect funds from Mon Health via fraudulent wire transfers.
When Mon Health learned of this, it secured the contractor's email account and reset the password, alerted law authorities, and hired a third-party forensic firm to assist the investigation. The inquiry also revealed that the problem was limited to Mon Health's email system and did not touch the organization's electronic health records systems. There was also no evidence that any of Mon Health's other connected hospitals or healthcare facilities, including Mon Health Preston Memorial Hospital and Mon Health Marion Neighbourhood Hospital, were involved in or impacted by the incident. Importantly, the incident had no effect on Mon Health's services or operations or those of any of its connected hospitals or healthcare facilities.
Patients who have been affected by the breach have been notified personally, and an assistance centre has been established to answer inquiries. Mon Health also stated that it is analyzing and improving its security processes and practices, including the implementation of multifactor authentication for remote access to its email system.
“Business email compromise continues to be the silent killer for organizations and data breaches within various industries, including healthcare,” said James McQuiggan, security awareness advocate at security awareness training firm KnowBe4 Inc. “Utilizing a careful cynicism or a ‘trust and verify’ mindset, organizations can implement technology solutions and user processes to prevent these successful and effective attacks."
McQuiggan highlighted that, from a technological standpoint, implementing domain and sender email address verification is a straightforward patch to authenticate domains and emails and lessen the possibility of an attack by a "doppelganger domain."