Monongalia Health Data Breach Affects Almost 500,000 Patients

Monongalia Health System in West Virginia (Mon Health) has recently announced it fell victim to a cyberattack in December 2021, and hackers potentially accessed the protected health information of 492,861 patients. This is the second major data breach to be announced by Mon Health in the past 12 months. An earlier cyberattack was announced in December 2021, a few days before the latest breach was detected, which affected 398,164 patients.

The latest security breach was detected by Mon Health on December 30, 2021, and caused disruption to certain IT systems. An investigation was launched, which revealed the attackers had accessed certain IT systems between December 8, 2021, and December 19, 2021.

Mon Health said it acted quickly to secure its systems. The affected IT systems were immediately taken offline to prevent further unauthorized access and an organization-wide password reset was performed. A computer forensics firm was called in to investigate the breach and determine the nature and scope of the attack. The investigation confirmed the attackers gained access to IT systems where patients’ protected health information was stored, and potentially viewed or obtained information such as names, addresses, dates of birth, Medicare Health Insurance Claim Numbers, Social Security numbers, patient account numbers, health insurance ID numbers, medical record numbers, dates of service, provider names, claims information, and medical/clinical information.

Mon Health sent notification letters to affected individuals on February 28, 2022, and said it has taken steps to harden the security of its network and will be implementing further technical safeguards that will allow it to better protect its systems against unauthorized access and increase system monitoring.

The earlier data breach was a phishing attack that allowed unauthorized individuals to gain access to several employee email accounts. Mon Health announced that breach on December 21, 2021, and said the email accounts were compromised between May 10, 2021, and August 15, 2021. Mon Health said these were two separate security incidents.

After suffering two major data breaches in relatively quick succession, Mon Health is likely to be investigated by the HHS’ Office for Civil Rights to determine whether it was compliant with the requirements of the HIPAA Security Rule and had implemented appropriate safeguards to protect against unauthorized ePHI access.