Almost 500,000 Patients Affected by Mon Health Data Breach

In December 2021, Monongalia Health System (Mon Health) started notifying almost 400,000 individuals about a business email compromise attack, where threat actors compromised email accounts and used them to arrange fraudulent wire transfers. The attackers had access to email accounts from May 10, 2021, until August 15, 2021.

On December 18, 2021, just a few days after the announcement about the BEC attack was made, Mon Health discovered threat actors had gained access to some of its IT systems in December. Mon Health said these were two separate security breaches. The investigation confirmed that the attackers first accessed its IT systems on December 8, 2021, and access remained possible until December 19, 2021. Mon Health said the attack caused disruption to its IT systems and the compromised systems housed files that contained sensitive employee, patient, and contractor data, but that its electronic medical record system was unaffected.

A comprehensive review of all files on the compromised systems confirmed they contained names, addresses, dates of birth, Social Security numbers, health insurance claim numbers, medical record numbers, patient account numbers, medical treatment information, and various other types of data.

Mon Health took steps to improve email security after the first data breach and said in its breach notification letters that an enterprise password reset was performed, network security was hardened, and additional technical safeguards have been implemented in response to the second breach.

While Mon Health did not state in its breach notification letters how many individuals were affected, the breach report submitted to the U.S. Department of Health and Human Services’ Office for Civil Rights indicates up to 492,861 patients were affected. It is unclear how many employees and contractors had sensitive data exposed.

The HHS’ Office for Civil Rights investigates all data breaches affecting more than 500 individuals and it is likely that after suffering two breaches in quick succession, OCR will review the security policies in place to ensure Mon Health was compliant with the requirements of the HIPAA Security Rule.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of