Mon Health Reports Breach Soon After Phishing IncidentEarlier Breach Affected Nearly 399,000 - How Many Are Affected This Time?
A West Virginia-based healthcare entity that reported a phishing breach in December affecting nearly 399,000 individuals this week reported a separate security incident that appears to have potentially involved ransomware.
In a breach notification statement issued Monday, Morgantown, West Virginia-based Monongalia Health System, Inc. - known as Mon Health - says that on Dec. 30, 2021, it determined that a data security incident resulted in unauthorized access to information pertaining to Mon Health patients, providers, employees and contractors.
Mon Health says it first learned of the incident on Dec. 18, 2021, "when it was alerted to unusual activity in its IT network which disrupted the operations of some of Mon Health's IT systems."
In its statement, the entity says it immediately took a significant portion of its IT network and systems offline and initiated downtime procedures. Mon Health says it also conducted an enterprisewide password reset, implemented network-hardening measures, notified law enforcement authorities and launched a comprehensive investigation, with the assistance of a third-party forensic firm.
Mon Health's investigation determined that unauthorized parties accessed its IT network between Dec. 8, 2021, and Dec. 19, 2021.
Potentially compromised information includes names, addresses, Social Security numbers, Medicare claim numbers - which could contain Social Security numbers, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former Mon Health patient or member of Mon Health's employee health plan.
Mon Health did not immediately respond to Information Security Media Group's request for additional details about the incident, including whether it involved ransomware and how many individuals were affected.
On Dec. 21, 2021, Mon Health issued a separate data breach notification about a phishing incident that involved unauthorized access to emails and attachments in several Mon Health email accounts. (see: 2 Hacking Incidents Collectively Hit PHI of Nearly 750,000).
In that incident, Mon Health said it had determined that unauthorized individuals gained access to a Mon Health contractor's email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers.
On Dec. 21, 2021, Mon Health reported the email hacking incident to federal regulators as affecting nearly 399,000 individuals.
Unlike the breach notification statement that Mon Health issued this week, the earlier one said that that incident "did not disrupt the services or operations of Mon Health or any of its affiliated hospitals or healthcare facilities."
In both statements, Mon Health says the incidents did not involve Mon Health's electronic health record systems.
As of Wednesday, the Department of Health and Human Services' Office for Civil Rights HIPAA Breach Reporting Tool website listing major breaches affecting 500 or more individuals only shows one entry for Mon Health - the phishing incident reported in December 2021.
A Mon Health spokesman tells ISMG that the two reported breaches are separate incidents.
Regulatory attorney Paul Hales of the Hales Law Group says it is "surprising" that Mon Health suffered a cybersecurity breach right after another breach affecting hundreds of thousands of individuals.
"The earlier breach rang a loud warning bell," he says. "The HIPAA Security Rule and OCR guidance lays out fundamental steps to protect against such a breach."
That includes performing an enterprisewide risk analysis and risk management, information system activity review, information access management, audit controls and security awareness and training, according to Hales.
"These security safeguards reduce the risk of a breach as well as enable early detection of suspicious activity. An organization would then be able to proceed with required security incident procedures and implement, as necessary, its contingency plan," he says.
Hales says Mon Health’s notice on Monday about its second breach indicates that the entity is now adopting safeguards and technical security measures to further protect and monitor its systems. "That is appropriate and should have been done immediately after the first breach," he says.
But according to its notice regarding last year's phishing breach, Hales says, "Mon Health concentrated corrective actions regarding the prior breach on remote access to its email system."
Regulatory attorney Rachel Rose says organizations that use the National Institute of Standards and Technology's cybersecurity framework for prevention, detection and correction are generally "in a better position to respond and engage outside entities, such as attorneys, incident response/forensic teams, etc." when there is a security incident.
She says the situation is comparable to "an individual coming into the emergency room with his/her arm hanging on by a thread. In order to save the nerves and vascular structures, a tourniquet needs to be placed and swift surgical intervention needs to occur - otherwise the likelihood of losing the arm increases. This same concept applies both to loss of data and spread of the malware or ransomware. Stop the bleeding, repair, and look for other damage and implement protective measures."
Whether the data breaches reported by Mon Health in December 2021 and February 2022 involved two separate or interrelated security compromises, the descriptions it provided for each touch upon top security challenges facing healthcare sector entities, including a continued surge in hacking, phishing and ransomware incidents.
During a presentation on Wednesday at the virtual HIPAA Summit, Nicholas Heesters, senior adviser for cybersecurity at the Department of Health and Human Services' Office for Civil Rights, said there was a 45% increase from 2019 to 2020 in reported hacking/IT incident breaches affecting 500 or more individuals. In 2020, 66% of those reported hacking/IT incident breaches involved ransomware.
"There's been a steady increase in these [hacking] incidents year after year - in particular ransomware," he says, and in 2021, 73% of major breaches reported to OCR were hacking incidents.
The location at which major breaches are reported to have occurred has also been shifting heavily to network servers and email, according to Heesters.
In 2021, 80% of the major breaches reported to OCR combined involved network servers (52%) and email systems (28%), he says. "That's a good indication of the trends. That's where your [sensitive] data will be - in these locations," he says.
Of large breaches reported to OCR, the major causes of infiltration include phishing, compromised accounts - especially for remote access - and unpatched vulnerabilities, Heesters says.
He says phishing has been main point of malware delivery for several years and while it is not a new threat, it "needs to be taken into consideration with other evolving threats."
Common compromised account incidents include instances of passwords sold on the dark web, password stuffing, and brute force attacks involving single factor authentication, "especially in remote access," according to Heesters.
He says health data breaches involving unpatched vulnerabilities include the exploitation of known security flaws, as well as exploitation of "internal vulnerabilities" in which hackers gain administrative and other privileged access.
Heesters says that some of OCR's investigations have also found instances in which entities experiencing data security incidents do not realize that unauthorized access by hackers continues in their environments, including from backdoors, or that malware reinfections occur or persist even after the entities thought they had mitigated a breach.
"You might not realize that you just reinstalled malware from your backups," he says.