WVU Medicine Patient Information Compromised in Security Breach

WVU Medicine Patient Information Compromised in Security Breach
Photo by National Cancer Institute / Unsplash

MORGANTOWN, W.Va. - A significant security breach at a third-party company has resulted in the unauthorized access of patient information across the West Virginia United Health System (WVUHS). The breach occurred due to a vulnerability in the MOVEit Transfer system, a third-party data transfer system used by Nuance Communications, Inc., which provides software solutions to WVUHS.

Affected Medical Facilities

The breach impacted several medical facilities, including:

  • WVU Hospitals, Inc (including J.W. Ruby Memorial Hospital)
  • Summersville Regional Medical Center
  • Reynolds Memorial Hospital
  • Berkeley Medical Center
  • Jefferson Medical Center
  • Potomac Valley Hospital, Inc.
  • United Summit Center
  • United Hospital Center, Inc.
  • Wheeling Hospital, Inc.
  • Barnesville Hospital
  • Harrison Community Hospital, Inc.
  • St. Joseph’s Hospital, Inc.
  • Camden-Clark Memorial Hospital
  • Braxton County Memorial Hospital, Inc.
  • Jackson General Hospital
  • Wetzel County Hospital
  • Uniontown Hospital
  • Garrett Regional Medical Center
  • Princeton Community Hospital Association

Details of the Breach:

According to the letter sent to affected patients and a press release from WVU Medicine, the compromised information included details such as date of birth, medical record number, and gender. For patients who underwent radiology studies, their names, dates, descriptions of service, practitioner’s name, healthcare facility name, and the study report were also accessed. However, medical records, radiology images, social security numbers, and financial information were not part of the breach.

The breach took place on May 28 and 29 of 2023. After conducting an investigation, Nuance informed WVUHS about the incident on August 1. WVU Medicine emphasized in its press release on September 26 that this was not a data breach of any of their systems.

Measures Taken:

Nuance Communications has since taken extensive measures to safeguard patient information. This includes conducting a thorough investigation with the assistance of cybersecurity experts and legal counsel and notifying law enforcement agencies. Patients who believe their personal information might have been misused are advised to monitor their accounts and credit reports for any suspicious activities. They can also contact the Federal Trade Commission or their state attorney general for further assistance.

For more information or concerns, patients can reach out to Nuance at 1-888-988-0380.