A phishing attack on a West Virginia hospital system resulted in a data breach, giving hackers access to multiple email accounts. From May 10 through August 15, hackers got access to various email accounts at Monongalia Health System, which operates Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company. Patients, providers, workers, and contractors’ sensitive information was stored in these accounts. On October 29, the firm announced the results of its investigation into the event, which revealed that the cyberattack resulted from an email phishing attack.
According to the company, Mon Health became aware of the problem because a vendor reported not getting payment from Mon Health on July 28, 2021. In response, Mon Health started an investigation, which revealed that unauthorized persons had accessed a Mon Health contractor’s email account and sent emails from it in an attempt to collect cash from Mon Health via fraudulent wire transfers.
Mon Health protected the contractor’s email account and changed the password after learning of the breach, alerted law authorities, and hired a third-party forensic firm to assist with the investigation. Information from their other facilities, including Mon Health Preston Memorial Hospital and Mon Health Marion Neighborhood Hospital, was not included in the cyberattack.
The intention of the unlawful access to the email accounts, according to the business, was to gain cash from Mon Health through fraudulent wire transfers and to conduct an email phishing campaign, not to access personal information. On December 21, Mon Health began mailing breach notification letters to victims and announced a toll-free contact center had been established for individuals with inquiries. Due to hacks or ransomware events that exposed sensitive data, several healthcare companies have had to issue breach notification letters to patients.