West Virginia University (WVU) confirmed that limited patient information was exposed during a data breach discovered earlier this year.
In a press release, WVU explained that back in November 2022 the school learned that a website used for software development and set up in 2021 contained WVU information that was inadvertently publicly accessible. However, the school said that “almost immediately” in November 2022, all information on the website was deleted from public view.
As part of its investigation of this incident, WVU discovered earlier this year that a document containing a listing of patient file names also was inadvertently accessible on the website and downloaded by external parties.
The school stressed in a press release that no Social Security numbers, personal financial information, dates of birth, home addresses, account numbers, passwords, or any other information that “could be used for identity theft purposes were involved.” Rather, the unsecured information in the document was limited to a file name with patients’ first and last names and either the patient’s medical test name, the patient’s medical procedure or treatment name, or the patient’s potential exposure to a disease.
Additionally, WVU said that only the file name was disclosed and not the contents of the file or patient medical records. WVU also said that the document did not link back to patients’ actual medical files, which are maintained and protected in an encrypted file server accessible only by authorized individuals who provide clinical, academic, or administrative services to patients.
In a press release, the school said it is conducting a thorough review of its information security and privacy policies to ensure that incidents such as this one do not happen in the future. At this time, WVU said it has no indication that the personal information of patients has been misused.