BEC Attack on Monongalia Health System
A three-hospital health system in West Virginia has become the victim of a business email compromise (BEC) scam that began with a phishing attack.
Monongalia Health System, Inc. (MHS) had no idea that its cybersecurity defenses had been penetrated until a vendor reported not receiving a payment from the healthcare provider on July 28, 2021.
An investigation was launched, which determined that threat actors had compromised several email accounts belonging to MHS employees between May 10, 2021, and August 15, 2021, gaining unauthorized access to emails and attachments.
Threat actors used one account belonging to an MHS contractor to impersonate Monongalia Health System and attempt to fraudulently obtain funds by wire transfer.
Monongalia Health System, whose affiliated hospitals are Monongalia County General Hospital Company, Preston Memorial Hospital, and Stonewall Jackson Memorial Hospital Company, issued a data security notice Tuesday.
In the notice, MHS said that while the threat actors had not accessed the healthcare provider's electronic health records system, some patient and employee data that was stored in the compromised email accounts had been breached.
This information included names, Medicare health insurance claim numbers (which could contain Social Security numbers), addresses, dates of birth, patient