WVU Medicine patients exposed to data breach
WHEELING — WVU Medicine patients who received radiology services through its group of hospitals were exposed to a data breach earlier this year through a third-party vendor WVU Medicine contracts with.
The health system is just one part of the breach that, according to reports, has affected more than 1.2 million individuals nationwide.
A letter sent to radiology patients dated Sept. 19 from Nuance Communications, the third-party vendor that provides some software services to WVU Medicine among many other organizations. The letter from Nuance stated that a third-party company it contracts with to securely transfer files, Progress Software, notified Nuance of a “previously unknown vulnerability” in their software.
That vulnerability allowed an unauthorized party to take information from Progress’ software between May 28 and May 29, according to the letter. On July 11, Nuance confirmed in its investigation that the personal information of some WVU Medicine patients were involved in the breach. Nuance told WVU Medicine about the breach on Aug. 1.
The personal information involved included the patient’s date of birth, medical record number and gender as well as information about radiology studies received, including the practitioners name, healthcare facility name, date and description of services provided and the study report. It also may have included the patients’ names.
Nuance said the information involved did not include the patient’s medical record or radiology images, Social Security number or any financial information.
Local WVU Medicine facilities involved include WVU Medicine Wheeling, Reynolds Memorial, Barnesville, Harrison Community and Wetzel County hospitals. Other facilities listed include WVU Hospitals, Inc., WVU Medicine Summersville Regional, Berkeley, Jefferson and Garrett Regional medical centers, WVU Medicine Jackson General, Potomac Valley, Uniontown, Princeton Community, St. Joseph’s, Camden-Clark Memorial and Braxton County Memorial hospitals, United Summit Center and United Hospital Center.
In a statement posted on its website, WVU Medicine made clear that the breach occurred through third-party Nuance, and it was not a data breach of any WVU Medicine systems. A WVU Medicine spokesperson said Tuesday afternoon that the organization would not be commenting on the situation outside of that public statement.
In its letter to affected patients, Nuance provided the number to a toll-free call center, 888-988-0380, for anyone with questions about the breach. The center operates Monday through Friday from 9 a.m. to 9 p.m., excluding major U.S. holidays.
Those affected can contract the Federal Trade Commission and their respective states’ attorneys general offices. Affected West Virginia residents have the right to ask that nationwide consumer reporting agencies place fraud alerts in their files to let potential creditors and others know they may be victims of identity theft. They also have the right to place a security freeze on their credit reports.