"BEC Attack on Monongalia Health System"

A three-hospital health system in West Virginia has become the victim of a business email compromise (BEC) scam that began with a phishing attack.  Monongalia Health System, Inc. (MHS) had no idea that its cybersecurity defenses had been penetrated until a vendor reported not receiving a payment from the healthcare provider on July 28, 2021.  An investigation was launched, which determined that threat actors had compromised several email accounts belonging to MHS employees between May 10, 2021, and August 15, 2021, gaining unauthorized access to emails and attachments.  Threat actors used one account belonging to an MHS contractor to impersonate Monongalia Health System and attempt to fraudulently obtain funds by wire transfer.  In a security notice, MHS said that while the threat actors had not accessed the healthcare provider’s electronic health records system, some patient and employee data that was stored in the compromised email accounts had been breached.  This information included names, Medicare health insurance claim numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former MHS patient.  MHS has begun mailing notice letters to patients whose information may have been involved in the security incident. 

Infosecurity reports: "BEC Attack on Monongalia Health System"