A three-hospital health system in West Virginia has become the victim of a business email compromise (BEC) scam that began with a phishing attack.
Monongalia Health System, Inc. (MHS) had no idea that its cybersecurity defenses had been penetrated until a vendor reported not receiving a payment from the healthcare provider on July 28, 2021.
An investigation was launched, which determined that threat actors had compromised several email accounts belonging to MHS employees between May 10, 2021, and August 15, 2021, gaining unauthorized access to emails and attachments.
Threat actors used one account belonging to an MHS contractor to impersonate Monongalia Health System and attempt to fraudulently obtain funds by wire transfer.
Monongalia Health System, whose affiliated hospitals are Monongalia County General Hospital Company, Preston Memorial Hospital, and Stonewall Jackson Memorial Hospital Company, issued a data security notice Tuesday.
In the notice, MHS said that while the threat actors had not accessed the healthcare provider’s electronic health records system, some patient and employee data that was stored in the compromised email accounts had been breached.
This information included names, Medicare health insurance claim numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information, and/or status as a current or former MHS patient.
MHS has begun mailing notice letters to patients whose information may have been involved in the security incident.
“From a technology perspective, implementing verification of domains and senders’ email addresses, while not widely used, is a quick fix to authenticate domains and emails to reduce the risk of an attack by a ‘doppelganger domain,’” commented KnowBe4‘s security awareness advocate, James McQuiggan.
He added: “For the human element, a robust security awareness program educates employees to be aware of the red flags, spot fake emails, check the email address, and verify the user by explicitly asking yourself if you were expecting the email.”
MHS said that it “is continuing to review and enhance its existing security protocols and practices, including the implementation of multi-factor authentication for remote access to its email system.”