Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

2 min read

Monongalia Health System suffers phishing attack

Monongalia Health System suffers phishing attack

Yet another healthcare provider, Monongalia Health System, had to notify affected individuals about a recent phishing attack.

RELATED: Why is healthcare a juicy target for cybercrime?

Monongalia Health is based in West Virginia. Cyber attackers breached its email systems along with affiliated Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company.

Phishing and cyberattacks continue to wreak havoc on healthcare providers. This past year alone, 40,099,751 individuals have had their protected health information (PHI) exposed.

Such high numbers show that covered entities are not doing everything they can and must do to protect patients’ information. More needs to be done to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email.

What happened?

Monongalia Health first discovered the data breach on July 28, 2021. An employee received an email from a vendor reporting that they did not receive a payment. A preliminary investigation found that threat actors somehow accessed the contractor’s email account. The hackers then sent the email asking for payment through a fraudulent wire transfer.

RELATEDBusiness email compromise: how to protect yourself

Given this, the health system secured the email account, reset the password, hired a third-party investigator, and notified law enforcement. The third-party investigation concluded in October. It revealed that the cyber attackers obtained access to multiple email accounts between May 10 and August 15. And unfortunately, the email accounts contained personally identifiable information (PII) and PHI such as:

  • Names, addresses, and birthdates
  • Employee health plan information
  • Insurance information and claims
  • Medical information

Some accounts may have also included Social Security numbers. The health system’s electronic health records remained unaffected along with operations and patient care. But unfortunately, Monongalia Health could not rule out PII/PHI access. The provider mailed notification letters to impacted individuals on December 21. The U.S. Office for Civil Rights’ Breach Notification Portal lists the breach as a hacking/IT incident affecting 398,164 individuals.


Phishing and healthcare

Phishing is a malicious attempt to trick people into giving up personal and online account information. In this instance, the cyber attackers used email phishing to gain access to the contractor’s email account.

According to Monongalia Health, several employees responded to the initial phishing emails. Phishing emails are effective, largely because email is the most accessible threat vector (or entry point) into any system. Moreover, employees remain the weakest link for most organizations’ security programs. This is especially true for healthcare providers this year as they struggle with tired and stressed staff because of the COVID-19 pandemic.

RELATED: Cybersecurity management: How companies are responding to COVID-19 and remote work

HIPAA compliance is necessary for organizations that must block phishing emails and practice good cyber hygiene. For Monongalia Health, improving their cyber hygiene means reviewing existing protocols and implementing multifactor authentication (MFA) for remote access. But they should also consider ensuring that employee awareness training is consistent and up to date along with strong access controls like MFA. And ultimately, the best way to stop your employees from inadvertently sharing information is by utilizing strong email security.


Paubox Email Suite Plus—strong defense against phishing

Enabling HIPAA compliant email with strong inbound and outbound email security is crucial to safeguarding PHI.

Paubox Email Suite Plus automatically encrypts all outgoing emails and delivers them directly to an inbox.

RELATEDWhy healthcare providers should use HIPAA compliant email

Our  HITRUST CSF certified product requires no change in email behavior and works with any existing email platform, such as Microsoft 365 and  Google Workspace. And Paubox Email Suite Plus comes with  Zero Trust Email, which adds a layer of verification even before an email gets delivered. Our solution protects healthcare organizations from malware, phishing, and display name spoofing, keeping email accounts locked from outsiders.

Monongalia Health thankfully caught the BEC scheme before paying a ransom to the cyber attackers, but unfortunately it still violated HIPAA with the phishing breach. Something that could have been avoided altogether. And that’s why you should be a Paubox Email Suite Plus customer.

With our solution, employees won’t be given the opportunity to fall for phishing. And your organization remains safe and secure from cyber threats so that you can concentrate on what’s important: patient care.


Try Paubox Email Suite Plus for FREE today.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.