MORGANTOWN, W.Va. (WBOY) — A security breach at a third-party company led to information about patients across West Virginia United Health System (WVUHS) being taken.
According to a letter that was sent to patients affected by the “security incident,” Nuance Communications, Inc., which provides software solutions to WVUHS, used the third-party data transfer system MOVEit Transfer, which had a “previously unknown vulnerability in their software that allowed an unauthorized third party to take information.”
The following medical facilities were affected, according to the letter:
- WVU Hospitals, Inc (which includes J.W. Ruby Memorial Hospital)
- Summersville Regional Medical Center
- Reynolds Memorial Hospital
- Berkeley Medical Center
- Jefferson Medical Center
- Potomac Valley Hospital, Inc.
- United Summit Center
- United Hospital Center, Inc.
- Wheeling Hospital, Inc.
- Barnesville Hospital
- Harrison Community Hospital, Inc.
- St. Joseph’s Hospital, Inc.
- Camden-Clark Memorial Hospital
- Braxton County Memorial Hospital, Inc.
- Jackson General Hospital
- Wetzel County Hospital
- Uniontown Hospital
- Garrett Regional Medical Center
- Princeton Community Hospital Association
According to the letter and a press release from WVU Medicine, information such as date of birth, medical record number and gender was involved, and for those who received radiology studies, the letter said that patient name, date and description of service, including practitioner’s name and healthcare facility name, and the study report were also taken. The letter said that medical records, radiology images, social security numbers and financial information were not involved in the breach.
The letter said that the breach happened on May 28 and 29 of 2023 and that after investigation, Nuance told WVUHS about it on Aug. 1. Patients whose personal information was impacted should have received a letter. In its press release on Sept. 26, WVU Medicine emphasized that the incident was “NOT a data breach of any WVU Medicine systems.”
The Nuance letter said at this point, the company has taken “extensive measures” to protect patient information, including conducting an investigation with help from cybersecurity experts and legal counsel and notifying law enforcement. The WVU Medicine release also said that patients can call Nuance at 1-888-988-0380 for more information.
Patients who received a letter or are concerned about their data should review their accounts and credit reports for suspicious activity. If a patient thinks their personal information has been misused, they should contact the Federal Trade Commission at 1-877-438-4338, or their state attorney general; for West Virginia, that is Patrick Morrisey’s office which can be reached at 1-800-368-8808.