Monongalia Health System (Mon Health) based in West Virginia has reported a cyberattack that resulted in the exposure of the patient, worker, and contractor information. This is the second big data breach reported by the health system in the last year. Mon Health stated that the two data breaches are independent incidents, though it is uncertain right now if they are related in any way.
The prior data breach was due to a phishing attack that resulted in the compromise of a number of employee email accounts. Mon Health reported the breach last December 21, 2021, and mentioned that the security breach was detected in July 2021 because a vendor claimed it did not receive a payment. The attackers utilized the breached email accounts to redirect a wire transfer. The breach investigation confirmed the compromise of the email accounts from May 10, 2021 to August 15, 2021, and they included the protected health information (PHI) of 398,164 individuals. In this instance, there was no disruption in the IT systems.
Based on the most recent Mon Health press release, the most recent breach was found out on December 30, 2021, only 9 days following the announcement of the prior data breach. Mon Health noticed strange activity in its IT system and took immediate action to protect its systems. IT systems were taken down, downtime measures were started, a company-wide password reset was done, and a third-party forensics agency was employed to look into the breach. This attack caused trouble to its IT systems.
Mon Health stated its investigation confirmed that unauthorized people got access to the IT systems from December 8, 2021 to December 19, 2021, which comprised the PHI of patients and its employee health plan members, and contractor data. Mon Health stated the breach likewise impacted its affiliated hospitals: Stonewall Jackson Memorial Hospital Company, Monongalia County General Hospital Company, and Preston Memorial Hospital Corporation.
Mon Health could not exclude unauthorized access to files that contain names, Social Security numbers, addresses, Medicare Health Insurance Claim Numbers, birth dates, patient account numbers, medical insurance plan member ID numbers, dates of service, medical record numbers, names of provider, claims details, medical and clinical treatment data and/or the status as a present or past Mon Health patient or Mon Health’s employee health plan member.
Mon Health stated it has since toughened network security and will keep implementing more safety measures and technical security steps to better secure and keep track of its systems. Notification letters were sent to impacted persons starting February 28, 2022.
The HHS’ Office for Civil Rights breach portal does not show the data breach yet, therefore it is presently unknown how many people were impacted.