Phishing incident causes data breach at West Virginia hospitals

Attackers accessed email accounts containing Social Security numbers, medical treatment information, and more.
Written by Jonathan Greig, Contributor

A hospital system in West Virginia has suffered a data breach resulting from a phishing attack, which gave hackers access to several email accounts. 

Monongalia Health System -- which runs Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company -- said that hackers had access to several email accounts from May 10 to August 15. These accounts contained sensitive information from patients, providers, employees, and contractors. 

The company concluded its investigation into the incident on October 29, finding that the attack resulted from an email phishing incident.

"Mon Health first became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation, through which it determined that unauthorized individuals had gained access to a Mon Health contractor's email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers," the company explained. 

"Upon learning of this, Mon Health secured the contractor's email account and reset the password, notified law enforcement, and a third-party forensic firm was engaged to assist with the investigation."

The attack did not include information from their other hospitals, including Mon Health Preston Memorial Hospital and Mon Health Marion Neighborhood Hospital. 

The company claims that "the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information."

Mon Health started sending breach notification letters to victims on December 21 and said a toll free call center was created for those with questions. 

Dozens of healthcare organizations have had to send out breach notification letters to patients due to cyberattacks or ransomware incidents that exposed sensitive data. 

Editorial standards