A 3-healthcare facility health and fitness program in West Virginia has turn out to be the target of a business email compromise (BEC) rip-off that started with a phishing attack.
Monongalia Overall health Procedure, Inc. (MHS) experienced no idea that its cybersecurity defenses experienced been penetrated until eventually a vendor described not getting a payment from the healthcare provider on July 28, 2021.
An investigation was released, which determined that menace actors experienced compromised many email accounts belonging to MHS workforce involving May 10, 2021, and August 15, 2021, gaining unauthorized entry to e-mail and attachments.
Threat actors utilised a person account belonging to an MHS contractor to impersonate Monongalia Well being System and endeavor to fraudulently obtain money by wire transfer.
Monongalia Wellness System, whose affiliated hospitals are Monongalia County Common Hospital Enterprise, Preston Memorial Healthcare facility, and Stonewall Jackson Memorial Hospital Corporation, issued a info security observe Tuesday.
In the notice, MHS claimed that while the menace actors experienced not accessed the health care provider’s electronic health information system, some individual and staff details that was stored in the compromised email accounts experienced been breached.
This information and facts integrated names, Medicare overall health insurance plan assert quantities (which could incorporate Social Security quantities), addresses, dates of delivery, individual account numbers, wellbeing coverage plan member ID numbers, professional medical history figures, dates of services, supplier names, claims details, medical and medical cure data, and/or position as a recent or previous MHS affected person.
MHS has started mailing detect letters to individuals whose details could have been concerned in the security incident.
“From a technology standpoint, implementing verification of domains and senders’ email addresses, while not extensively applied, is a quick deal with to authenticate domains and e-mails to lower the risk of an attack by a ‘doppelganger area,’” commented KnowBe4’s security recognition advocate, James McQuiggan.
He included: “For the human aspect, a robust security consciousness software educates staff members to be knowledgeable of the purple flags, place faux e-mail, check out the email handle, and verify the user by explicitly asking you if you had been anticipating the email.”
MHS reported that it “is continuing to evaluate and boost its present security protocols and procedures, including the implementation of multi-factor authentication for distant access to its email process.”
Some parts of this article are sourced from:
www.infosecurity-journal.com