Morgantown, W.Va.-based Monongalia Health System and its affiliated hospitals began notifying patients Dec. 21 that their protected health information may have been exposed during an email phishing incident the health system experienced earlier this year.
Mongolia Health System, Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company — collectively known as Mon Health — said it discovered the incident after a vendor reported not receiving a payment from Mon Health July 28.
The health system launched an investigation and discovered that unauthorized individuals gained access to a Mon Health contractor's email account and sent emails from the account to try to get funds from Mon Health through fraudulent wire transfers, according to the health system's Dec. 21 news release.
Mon Health determined the hackers gained access to several Mon Health email accounts between May 10 and Aug. 15. The health system has since secured the email accounts and reset their passwords.
Mon Health said while it believes the hackers' motive was to obtain funds from the health system, it "cannot rule out the possibility that emails and attachments in the involved Mon Health email accounts containing patient, provider, employee and contractor information may have been accessed as a result of this incident."
Patient, provider, employee and contractor information that may have been accessed as a result of the incident includes names, Social Security numbers, birth dates, patient account numbers, addresses and health insurance plan details.
The security incident only involved Mon Health's email system and did not affect its EHR systems or disrupt care services, the health system said.