Monongalia Health System Inc., a company that runs three hospitals in West Virginia, has been struck by a business email compromise attack.

Described Dec. 21 by the company as a “data security incident,” the attack started with an email phishing incident that led to the theft of data and hijacked payments. The company first became aware of the incident on Oct. 29 after a vendor reported not receiving payment on July 28.

An investigation found that that unauthorized individuals gained access to a Mon Health contractor’s email account and sent emails from the account to obtain funds through fraudulent wire transfers.

Along with securing the contractor’s account, law enforcement was notified and a third-party forensic firm was employed to assist. The investigation also confirmed that the compromise involved only the company’s email system and did not involve electronic health records.

That said, Mon Health further discovered that personally identifiable information in emails was compromised. Details stolen included health plan information and claims, addresses, dates of birth, patient account numbers, medical record numbers, dates of service, provider names, claims information and other medical information.

Patients affected by the breach are being informed directly and a help center has been established to assist with questions. Mon Health added that it’s reviewing and enhancing security protocols and practices, including implementing multifactor authentication for remote access to its email system.

“Business email compromise continues to be the silent killer for organizations and data breaches within various industries, including healthcare,” James McQuiggan, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “Utilizing a careful cynicism or a ‘trust and verify’ mindset, organizations can implement technology solutions and user processes to prevent these successful and effective attacks.

McQuiggan noted that from a technology perspective, implementing verification of domains and sender’s email addresses is a quick fix to authenticate domains and emails to reduce the risk of an attack by a “doppelganger domain.”

“For the human element, a robust security awareness program educates employees to be aware of the red flags, spot fake emails, check the email address and verify the user by explicitly asking yourself if you were expecting the email,” McQuiggan added. “Trust but verify is the right way to make sure you don’t fall victim to email scams.”

Photo: Mon Health