- The 25+ best Black Friday Nintendo Switch deals 2024
- Why there could be a new AI chatbot champ by the time you read this
- The 70+ best Black Friday TV deals 2024: Save up to $2,000
- This AI image generator that went viral for its realistic images gets a major upgrade
- One of the best cheap Android phones I've tested is not a Motorola or Samsung
BEC Attack on Monongalia Health System
A three-hospital health system in West Virginia has become the victim of a business email compromise (BEC) scam that began with a phishing attack.
Monongalia Health System, Inc. (MHS) had no idea that its cybersecurity defenses had been penetrated until a vendor reported not receiving a payment from the healthcare provider on July 28, 2021.
An investigation was launched, which determined that threat actors had compromised several email accounts belonging to MHS employees between May 10, 2021, and August 15, 2021, gaining unauthorized access to emails and attachments.
Threat actors used one account belonging to an MHS contractor to impersonate Monongalia Health System and attempt to fraudulently obtain funds by wire transfer.
Monongalia Health System, whose affiliated hospitals are Monongalia County General Hospital Company, Preston Memorial Hospital, and Stonewall Jackson Memorial Hospital Company, issued a data security notice Tuesday.
In the notice, MHS said that while the threat actors had not accessed the healthcare provider’s electronic health records system, some patient and employee data that was stored in the compromised email accounts had been breached.
This information included names, Medicare health insurance claim numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information, and/or status as a current or former MHS patient.
MHS has begun mailing notice letters to patients whose information may have been involved in the security incident.
“From a technology perspective, implementing verification of domains and senders’ email addresses, while not widely used, is a quick fix to authenticate domains and emails to reduce the risk of an attack by a ‘doppelganger domain,’” commented KnowBe4‘s security awareness advocate, James McQuiggan.
He added: “For the human element, a robust security awareness program educates employees to be aware of the red flags, spot fake emails, check the email address, and verify the user by explicitly asking yourself if you were expecting the email.”
MHS said that it “is continuing to review and enhance its existing security protocols and practices, including the implementation of multi-factor authentication for remote access to its email system.”
