Monongalia Health is based in West Virginia. Cyber attackers breached its email systems along with affiliated Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company.
Such high numbers show that covered entities are not doing everything they can and must do to protect patients’ information. More needs to be done to comply with HIPAA by employing robust cybersecurity features like HIPAA compliant email.
Monongalia Health first discovered the data breach on July 28, 2021. An employee received an email from a vendor reporting that they did not receive a payment.
A preliminary investigation found that threat actors somehow accessed the contractor’s email account. The hackers then sent the email asking for payment through a fraudulent wire transfer.
Given this, the health system secured the email account, reset the password, hired a third-party investigator, and notified law enforcement.
The third-party investigation concluded in October. It revealed that the cyber attackers obtained access to multiple email accounts between May 10 and August 15. And unfortunately, the email accounts contained personally identifiable information (PII) and PHI such as:
- Names, addresses, and birthdates
- Employee health plan information
- Insurance information and claims
- Medical information
Some accounts may have also included Social Security numbers.
The health system’s electronic health records remained unaffected along with operations and patient care. But unfortunately, Monongalia Health could not rule out PII/PHI access.
The provider mailed notification letters to impacted individuals on December 21. The U.S. Office for Civil Rights’ Breach Notification Portal lists the breach as a hacking/IT incident affecting 398,164 individuals.
Phishing and healthcare
Phishing is a malicious attempt to trick people into giving up personal and online account information. In this instance, the cyber attackers used email phishing to gain access to the contractor’s email account.
According to Monongalia Health, several employees responded to the initial phishing emails.
Phishing emails are effective, largely because email is the most accessible threat vector (or entry point) into any system. Moreover, employees remain the weakest link for most organizations’ security programs.
This is especially true for healthcare providers this year as they struggle with tired and stressed staff because of the COVID-19 pandemic.
HIPAA compliance is necessary for organizations that must block phishing emails and practice good cyber hygiene. For Monongalia Health, improving their cyber hygiene means reviewing existing protocols and implementing multifactor authentication (MFA) for remote access.
But they should also consider ensuring that employee awareness training is consistent and up to date along with strong access controls like MFA.
And ultimately, the best way to stop your employees from inadvertently sharing information is by utilizing strong email security.
Paubox Email Suite Plus—strong defense against phishing
Enabling HIPAA compliant email with strong inbound and outbound email security is crucial to safeguarding PHI. Paubox Email Suite Plus automatically encrypts all outgoing emails and delivers them directly to an inbox.
And Paubox Email Suite Plus comes with Zero Trust Email, which adds a layer of verification even before an email gets delivered. Our solution protects healthcare organizations from malware, phishing, and display name spoofing, keeping email accounts locked from outsiders.
Monongalia Health thankfully caught the BEC scheme before paying a ransom to the cyber attackers, but unfortunately it still violated HIPAA with the phishing breach. Something that could have been avoided altogether.
And that’s why you should be a Paubox Email Suite Plus customer. With our solution, employees won’t be given the opportunity to fall for phishing. And your organization remains safe and secure from cyber threats so that you can concentrate on what’s important: patient care.