West Virginia University recently was alerted of a data breach involving a limited amount of personal information being available on a public-facing website.
On Nov. 25, 2022, WVU was notified that a website that was set up in December 2021 and used for software development contained WVU information that was inadvertently publicly accessible. Almost immediately, as of Nov. 28, 2022, all information on the website was deleted from public view.
On Jan. 4, 2023, during the course of the University’s investigation, it was discovered that a document containing a listing of patient file names also was inadvertently accessible on the website and downloaded by external parties.
No Social Security numbers, personal financial information, dates of birth, home addresses, account numbers, passwords or any other information that could be used for identity theft purposes were involved.
The unsecured information in the document was limited to a file name with patients’ first and last names and one of the following:
- The patient’s medical test name
- The patient’s medical procedure or treatment name
- The patient’s potential exposure to a disease
Only the file name was disclosed and not the contents of the file or patient medical records.
The document did not link back to patients’ actual medical files, which are maintained and protected in an encrypted file server accessible only by authorized individuals who provide clinical, academic or administrative services to patients.
WVU is conducting a thorough review of its information security and privacy policies to ensure incidents such as this one do not happen in the future. At this time, the University has no indication that the personal information of patients has been misused.
WVU is providing notifications, including additional resources and instructions for safeguarding information, to the individuals personally affected by this data breach.
Although no sensitive financial or personal information was disclosed, patients involved in this incident are encouraged to monitor their personal records to ensure there is no suspicious use or misuse of their information.
Additional information can be found at go.wvu.edu/HSC-Data-Incident.
Patients who have questions or concerns about this incident are asked to contact the WVU Health Sciences Risk Management and Privacy Office toll-free at
MEDIA CONTACT: Shauna Johnson
Director of News Communications
Call 1-855-WVU-NEWS for the latest West Virginia University news and information from WVUToday.
Follow @WVUToday on Twitter.