Monongalia Health System in West Virginia issued a press release this week about a data breach that impacted patients, employees, and contractors. It was the second incident reported by them in a one-year period. But was this incident unrelated to the first incident or related to it? It’s not yet clear, let’s back up to their first report and start with that. In December, they had reported that in July, they had discovered that employee email accounts had been compromised by a phishing attack. Mon Health made that discovery when investigating why one of their vendors reported never receiving payment. Their investigation found that unauthorized access to email had occurred between May 10, 2021, and August 15, 2021.
That incident reportedly affected patients and members of Mon Health’s employee health plan: names, Medicare health insurance claim numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient. [“Mon Health” refers to Monongalia Health System, Inc., and its affiliated hospitals: Monongalia County General Hospital Company, Stonewall Jackson Memorial Hospital Company, and Preston Memorial Hospital Corporation.]
Mon Health reported to HHS that 398,164 patients were being notified about that incident.
Now the health system has issued a second press release. According to this newest one:
On December 30, 2021, Mon Health determined that a data security incident resulted in unauthorized access to information pertaining to Mon Health patients, providers, employees, and contractors. Mon Health first learned of this incident on December 18, 2021, when it was alerted to unusual activity in its IT network which disrupted the operations of some of Mon Health’s IT systems. The investigation determined that the incident did not involve unauthorized access to Mon Health’s electronic health records systems but unauthorized parties did access its IT network between December 8, 2021, and December 19, 2021. They write:
Mon Health’s investigation cannot rule out the possibility that, while in its IT network, the unauthorized parties may have accessed files on IT systems that contain patient, provider, employee, and contractor information. This information may have included the following information relating to patients and members of Mon Health’s employee health plan: names, addresses, Social Security numbers, Medicare Health Insurance Claim Numbers (which could contain Social Security numbers), dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient or member of Mon Health’s employee health plan.
This is basically the same description as last year’s notification, suggesting that attackers may have hit the same system as last year. And once again, it seems that patient data was not segmented (or not effectively segmented) from employee data and contractor/vendor data.
But was this incident related to last year’s? Did new threat actors exploit the same weakness as previous attackers in a phishing attack that gave them credentials to access the IT system? Did the earlier threat actors leave a backdoor into the system that was now exploited again? Or was this a totally unrelated attack by different threat actors?
So far, Mon Health seems to have escaped a total disaster of having its systems encrypted and patient care significantly disrupted. Hopefully, they will find out exactly how these two incidents occurred so they can harden their security or practices as needed.
This post will be updated when Mon Health responds to this site’s inquiry about whether there is any connection between these incidents.