Threat Management, Phishing, Network Security

Mon Health phishing attack, account takeover impacts data of 398K patients

A phishing attack and subsequent email account takeover at Monongalia Health System potentially compromised the protected health information of 398,164 patients. The incident affected Mon Health and two affiliated West Virginia hospitals, Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company.

On July 28, a vendor informed Mon Health of a missed payment, which prompted an investigation. Officials said they discovered several threat actors gained access to a contractor’s email account to send emails seeking to obtain funds via fraudulent wire transfers. Upon discovery, Mon Health secured the contractor’s account and reset the account password.

A separate investigation was launched with support from a third-party forensic firm, which confirmed the incident began with an email phishing attack and limited to the Mon Health email system. The electronic health record system was not impacted.

The phishing attack resulted in unauthorized access to emails and attachments in several employee email accounts for three months between May 10, 2021 and August 15, 2021. 

The evidence shows the likely purpose of the attack was to secure fraudulent wire transfers and to send further phishing emails, not to obtain personal information. However, the investigation could not rule out access to the emails and attachments, which contained patient, provider, employee, and contractor information.

The potential compromise was determined on Oct. 29, prompting a comprehensive review of the accounts to determine the contacts. 

The investigators determined the impacted protected health information tied to patients and the Mon Health employee health plan included names, Medicare Health Insurance Claim Numbers, some Social Security numbers, contact information, patient account numbers, insurance plan member ID numbers, medical record numbers, dates of service, and other medical data.

Mon Health is currently reviewing its existing security protocols and practices and intends to add enhancements where needed, including implementing multi-factor authentication for remote access to its email system.

Cyberattack behind ongoing Capital Region Medical Center network outage

Capital Region Medical Center officials have confirmed that the ongoing network outage across its systems was caused by a cyberattack. Reported on Dec. 17, Missouri-based provider shutdown its network as a precaution after discovering unusual activity in its phone system.

The network outage is affecting both telephone and computer systems. Clinicians have been operating under previously practiced electronic health record downtime procedures to “ensure care continuity.”

A Dec. 22 update confirmed a “disruption to the network systems” prompted officials to disable the network and launch an investigation with assistance from a third-party cybersecurity firm, confirming the cybersecurity incident.

“While our information security team is working diligently to bring our systems back online as quickly, and securely, as possible, nothing is more important to us than the health and safety of our patients and continuing to provide the care our patients expect,” officials said in a statement.

CRMC is experiencing a high volume of calls, which may cause delays for patients attempting to reach the hospital. The social media post shows some appointments have been canceled, including all virtual appointments due to the network interruption. A timeline for recovery has not yet been determined.

Southern Orthopaedic Associates email hack impacts 107K patients

The personal and protected health information of 106,910 Southern Orthopaedic Associates patients was potentially accessed during the hack of several employee email accounts. SOA does business as Orthopaedic Institute of Western Kentucky, providing services in Kentucky and Illinois. 

On July 7, SOA discovered suspicious activity in an employee email account. Working with an outside computer forensics specialist, an investigation determined a hacker accessed several employee email accounts between June 24, 2021 and July 8, 2021.

The investigation could not determine which email accounts were potentially viewed by the attacker, so SOA reviewed the entirety of the impacted accounts to determine if any patient data was accessible during the hack. Officials said they could not determine if patient data was actually accessed, viewed, or acquired without permission.

The impacted data varied by individual and could include names, dates of birth, SSNs, driver's licenses, passport numbers, financial account numbers and/or routing numbers, security codes, payment card numbers, usernames and passwords, PINs or account logins, claims data, diagnoses, medical record numbers, Medicare/Medicaid identifications, and health information.

SOA is in the process of implementing further technical security measures, as well as additional training and education for employees to prevent a recurrence.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.