The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Montgomery General Hospital Suffers Ransomware Attack and Data Leak

Posted By on Apr 5, 2023

Montgomery General Hospital in West Virginia has suffered a cyberattack that saw unauthorized individuals gain access to its IT systems on or around February 28, 2023, and deploy ransomware on or around March 1, 2023. The attackers gained access to certain servers, exfiltrated files, and encrypted data. Montgomery General Hospital engaged a third-party security firm to assist with the investigation to determine the extent of the breach and has confirmed that its cloud-based electronic medical record system was not affected. The exfiltrated files mostly contained historical data, including budget documents, cost reports, and vendor payments; however, some of the files contained patient information.

At this stage of the investigation, the extent to which patient information has been compromised is still being determined. The hospital has confirmed that notifications will be sent to affected patients ahead of the 60-day reporting deadline of the Breach Notification Rule and credit monitoring services will be offered to individuals whose Social Security numbers were involved. Montgomery General Hospital said it temporarily took its electronic medical record system offline as a precaution, but access was promptly restored and patient care was unaffected by the attack. A hospital spokesperson confirmed that a ransom demand was received for $750,000 but the ransom was not paid on the advice of law enforcement and due to the historical nature of the compromised data. The hospital’s investigation indicates the incident started with a phishing attack and the hospital is aware that some of the stolen files have been publicly released on the ransomware group’s data leak site.

The D#nut ransomware gang has claimed responsibility for the cyberattack and said it had entered into negotiations with the hospital, but lost patience and started to release some of the stolen data on its data leak site. A member of the group contacted DataBreaches and shared a link to the published data and the site confirmed the published files included employee data. When questioned, the group said access was gained by exploiting a Microsoft Exchange vulnerability.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals – a commonly used placeholder until the full extent of an attack is known.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist