MORGANTOWN, W.Va. – West Virginia United Health System (WVU Medicine) has reported a third party data breach that could have affected specific patients.
Those patients received a letter describing a “security incident” with third party vendor, Nuance Communications, Inc., through the MOVEit Transfer system. The data transfer system did have a “previously unknown vulnerability in their software that allowed an unauthorized third party to take information,” according to the report.
The following medical facilities listed in the letter were affected:
WVU Hospitals, Inc (which includes J.W. Ruby Memorial Hospital)
Summersville Regional Medical Center
Reynolds Memorial Hospital
Berkeley Medical Center
Jefferson Medical Center
Potomac Valley Hospital, Inc.
United Summit Center
United Hospital Center, Inc.
Wheeling Hospital, Inc.
Barnesville Hospital
Harrison Community Hospital, Inc.
St. Joseph’s Hospital, Inc.
Camden-Clark Memorial Hospital
Braxton County Memorial Hospital, Inc.
Jackson General Hospital
Wetzel County Hospital
Uniontown Hospital
Garrett Regional Medical Center
Princeton Community Hospital Association
Officials said the breach occurred May 28, 29 of 2023 and personal information like date of birth, medical record number and gender was involved, and for those who received radiology studies, the letter said that patient name, date and description of service, including practitioner’s name and healthcare facility name, and the study report were also taken. The letter said medical records, radiology images, social security numbers and financial information was not involved in the breach.
Officials said the breach was not a data breach of any WVU Medicine system.
Nuance officials said extensive measures have been taken to protect patient information, including notifying law enforcement, conducting an internal investigation with help from cybersecurity experts and legal counsel. WVU Medicine patients can call Nuance at 1-888-988-0380 for more information.
Patients who received a letter or are concerned about their data should review their accounts and credit reports for suspicious activity. If a patient thinks their personal information has been misused, they should contact the Federal Trade Commission at 1-877-438-4338, or West Virginia Attorney General Patrick Morrisey at 1-800-368-8808.