Search
Data Incident Management
- West Virginia University recently was alerted of a data breach involving a limited amount of personal information being available on a public-facing website.
- On Nov. 25, 2022, the University was notified that a website that was set up in December 2021 and used for software development contained WVU information that was inadvertently publicly accessible. Almost immediately, as of Nov. 28, 2022, all information on the website was deleted from public view.
- On Jan. 4, 2023, during the course of our investigation, we discovered that a document containing a listing of patient file names also was inadvertently accessible on the website and downloaded by external parties.
- No Social Security numbers, personal financial information, dates of birth, home addresses, account numbers, passwords or any other information that could be used for identity theft purposes were involved.
- The unsecured information in the document was limited to a file name with patients’ first and last names and one of the following:
- The patient’s medical test name
- The patient’s medical procedure or treatment name
- The patient’s potential exposure to a disease
Frequently Asked Questions
What information was involved?
The unsecured information in the document was limited to a file name with patients’ first and last names and one of the following:
- The patient’s medical test name
Example: Y:\TEST-NAME\LAST, FIRST SP (test number).pdf - The patient’s medical procedure or treatment name
Examples: \WVU\Clinical practice\medical procedure\ FIRST, LAST NAME
WVU\Clinical practice\procedure\letters\date\LAST NAME, FIRST - The patient’s potential exposure to a disease
Example: \WVU\Clinical practice\DATE\LAST NAME, FIRST (potential disease exposure)
Only the file name was disclosed and not the contents of the file or any medical records. The data did not include Social Security numbers, personal financial information, dates of birth, home addresses, account numbers, passwords or any other information that could be used for identity theft purposes.
Where was the data available?
A file containing a limited amount of personal information was inadvertently made available on a public-facing website that is used by software developers to store, track and collaborate on projects.
Who had access to the data?
Any member of the software development website community had access to the data while it was posted publicly to the site.
What actions did WVU take when alerted that the data was public?
All information on the website was deleted from public view on Nov. 28, 2022. WVU has provided notifications to the individuals personally affected by this data breach and provided them with additional information and instructions for safeguarding their information. The University also is conducting a thorough review of our information security and privacy policies to ensure incidents such as this one do not happen in the future.
My information was included in this incident. Is there anything I should do to protect my data?
At this time, we have no indication that patients’ personal information has been misused. However, patients involved in this incident are encouraged to monitor their personal records to ensure there is no suspicious use or misuse of their information.
Is there someone I can contact with questions?
Patients who have questions or concerns about this incident are asked to contact the WVU Health Sciences Risk Management and Privacy Office toll-free at 1-888-825-1401 (8:15 a.m. to 4:45 p.m.)