W. Va. Medical Center reports vulnerability
A Charleston Area Medical Center (CAMC) Research Institute database containing personal information on more than 3,600 patients was found to have a security vulnerability that potentially left data in one section of the database exposed to advanced Internet searches, CAMC reported. The vulnerability was discovered and resolved last month.
The healthcare organization, based in Charleston, W. Va., issued a breach advisory on its web site and notified potentially affected patients in a letter dated Feb. 16.
On Feb. 8, CAMC learned about the vulnerability, which was in a database constructed in September 2010 by a third-party contractor and contained information on 3,655 patients. A vulnerability potentially left data in one section of the database exposed to advanced internet searches, the advisory stated. A family member of one the patients alerted the state Attorney General’s Consumer Protection Division, which alerted CAMC.
“The site was not advertised, not linked to, had limited availability to care providers and could only be accessed through an advanced search,” the advisory stated. The database contained the names, contact details, Social Security numbers and dates of birth of patients, along with certain basic clinical information about some patients, the provider reported, but was not linked to any other systems within the hospital network.
CAMC had not identified any instances of identity theft relating to this situation, but offered a year of credit monitoring and a credit freeze to patients whose data was potentially exposed. A hotline was also set up for patients seeking more information.
The healthcare organization, based in Charleston, W. Va., issued a breach advisory on its web site and notified potentially affected patients in a letter dated Feb. 16.
On Feb. 8, CAMC learned about the vulnerability, which was in a database constructed in September 2010 by a third-party contractor and contained information on 3,655 patients. A vulnerability potentially left data in one section of the database exposed to advanced internet searches, the advisory stated. A family member of one the patients alerted the state Attorney General’s Consumer Protection Division, which alerted CAMC.
“The site was not advertised, not linked to, had limited availability to care providers and could only be accessed through an advanced search,” the advisory stated. The database contained the names, contact details, Social Security numbers and dates of birth of patients, along with certain basic clinical information about some patients, the provider reported, but was not linked to any other systems within the hospital network.
CAMC had not identified any instances of identity theft relating to this situation, but offered a year of credit monitoring and a credit freeze to patients whose data was potentially exposed. A hotline was also set up for patients seeking more information.