Some reportable HIPAA breaches occur in the context of bad actors trying to re-route wire payments. Monongalia Health System in West Virginia seems to have suffered that type of breach. The incident impacted the email system of Monongalia Health System and its affiliated hospitals, Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company. It did not impact any other entities or systems, and no patient care was affected.
The compromise of employee email accounts via a phishing attack was first discovered in July after one of their vendors reported never receiving payment.
Regardless of the threat actors’ intentions, employee and patient information was attached to compromised accounts, and so the health system is now notifying patients and members of Mon Health’s employee health plan that the following types of their information may have been accessed:
names, Medicare Health Insurance Claim Numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient.
There is no indication in the health system’s press release that any protected health information was exfiltrated — only that it might have been accessed.
The number of employees and patients being notified was not included in the notice, and the incident does not (yet) appear on HHS’s public breach tool.
Updated December 23: The incident has been added to HHS’s public breach tool as impacting 398,164 people.