Monongalia Health System (Mon Health) this week started notifying patients, employees, and partners of a cyberattack that may have resulted in their data being stolen.
The healthcare services provider discovered the incident on December 18, when some of its IT systems were disrupted, but learned of the potential data theft only a couple of weeks later. The attackers had access to the organization’s network between December 8 and December 19.
The data breach may have resulted in patient information – alongside employee, provider, and contractor data – being stolen, but the attackers weren’t able to access the organization’s health electronic records systems.
Affected data, Mon Health says, includes names, addresses, birth dates, Social Security numbers, health insurance claim numbers, medical record numbers, patient account numbers, medical treatment information, and various other data.
Upon learning of the incident, the healthcare services provider took parts of its network down, reset passwords enterprise-wide, hardened its network, and notified the relevant authorities.
Mon Health says it has started notifying impacted patients via mail, but did not provide details on the number of affected individuals.
The data breach announcement comes roughly two months after Mon Health announced a business email compromise (BEC) incident following unauthorized access to its email system between May 10 and August 15, 2021.
The attack impacted roughly 400,000 people, the company told the U.S. Department of Health and Human Services in December.