Cyber Incident Victim: Monongalia Health System
Date:
May 2021
Location:
United States of America
Summary
A phishing attack compromised several email accounts at a West Virginia hospital system, enabling unauthorized access over multiple months. The breach was detected after a vendor reported a missing payment, prompting an investigation that revealed attackers infiltrated a contractor's email to attempt fraudulent wire transfers. While the primary aim was financial fraud rather than data theft, the exposed accounts contained sensitive patient, provider, employee, and contractor information. The organization secured affected accounts, engaged law enforcement and forensic experts, and later notified impacted individuals. The incident did not affect data from other hospitals within the system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Monongalia Health System experienced a cybersecurity incident involving unauthorized access to email accounts due to a phishing attack. The breach timeline spanned from May 10 to August 15, 2021, affecting systems at Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company. Attackers compromised a contractor's email account to send fraudulent emails attempting to redirect payments through wire transfers. Mon Health discovered the incident on July 28, 2021, when a vendor reported non-receipt of an expected payment. This prompted an internal investigation confirming the email account compromise. The compromised accounts contained sensitive information belonging to patients, healthcare providers, employees, and contractors. Mon Health clarified that Preston Memorial Hospital and Marion Neighborhood Hospital remained unaffected. Forensic analysis concluded on October 29, 2021, confirming the breach originated from phishing rather than direct network intrusion.
Mon Health implemented containment measures immediately after detection, including securing the compromised email account and resetting its credentials. The organization notified law enforcement and engaged a third-party forensic firm to investigate the incident's scope. Attackers focused on financial fraud through fabricated payment requests rather than targeted data exfiltration. Beginning December 21, 2021, Mon Health issued breach notification letters to affected individuals and established a dedicated toll-free call center for inquiries. Exposed data types were not explicitly detailed beyond general categories of personal and financial information within the email accounts. No ransomware deployment or broader network compromise occurred according to Mon Health's findings. The incident reflects a business email compromise scenario targeting payment processes rather than traditional healthcare data theft.