Monongalia Health System, Inc. Investigates and Addresses Data Security Incident

MORGANTOWN, W.V., Dec. 21, 2021 /PRNewswire/ -- Today, Monongalia Health System, Inc., and its affiliated hospitals, Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company (collectively, "Mon Health"), announced that it recently investigated and addressed an email phishing incident, and is now notifying individuals, including patients, providers, employees, and contractors, whose information may have been involved.  

On October 29, 2021, Mon Health concluded its investigation of an email phishing incident which may have resulted in unauthorized access to emails and attachments in several Mon Health email accounts. Mon Health first became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation, through which it determined that unauthorized individuals had gained access to a Mon Health contractor's email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers.

Upon learning of this, Mon Health secured the contractor's email account and reset the password, notified law enforcement, and a third-party forensic firm was engaged to assist with the investigation. The investigation also confirmed that this incident was limited to Mon Health's email system and did not involve Mon Health's electronic health records systems. The investigation also found no indication that any of Mon Health's other affiliated hospitals or healthcare facilities, including Mon Health Preston Memorial Hospital and Mon Health Marion Neighborhood Hospital, were involved in or impacted by the incident. Importantly, the incident did not disrupt the services or operations of Mon Health or any of its affiliated hospitals or healthcare facilities.

Through its investigation, Mon Health determined that unauthorized individuals gained access to several Mon Health email accounts between the dates of May 10, 2021 and August 15, 2021. In response, Mon Health secured the email accounts and reset their passwords.

Based on its investigation, Mon Health believes the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information. That said, Mon Health cannot rule out the possibility that emails and attachments in the involved Mon Health email accounts containing patient, provider, employee, and contractor information may have been accessed as a result of this incident.

Thus, out of an abundance of caution, Mon Health conducted a comprehensive search of the contents of those email accounts to identify the information they contained. Through this search, Mon Health identified emails and attachments that contained the following information relating to patients and members of Mon Health's employee health plan: names, Medicare Health Insurance Claim Numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient.

Beginning on December 21, 2021, Mon Health is mailing notice letters to patients whose information may be involved in this incident and has established a dedicated, toll-free call center to help answer questions from individuals whose information may have been involved in this incident. Additional information is available at https://www.monhealth.com or by calling Mon Health's dedicated, toll-free incident response line at (855) 545-2461, Monday through Friday, between 9:00am to 6:30pm, Eastern Time. 

Patients who receive notice letters are advised to review the statements they receive from their health care providers and health insurance plan. If individuals see services they did not receive, they should contact the provider or health plan immediately.

To help prevent something like this from happening again, Mon Health is continuing to review and enhance its existing security protocols and practices, including the implementation of multi-factor authentication for remote access to its email system.

SOURCE Monongalia Health System, Inc.