Data Incident Management

Data Breach Information

West Virginia University was recently made aware of a data breach that involved a small amount of personal information being temporarily available on a public website.

On Nov. 25, 2022, WVU learned that a website created for software development in December 2021 contained University information that was accidentally accessible to the public. The information was removed from public view by Nov. 28, 2022.

During an ongoing review, WVU discovered on Jan. 4, 2023, that one additional document had also been accessible and was downloaded by external parties. This document listed patient file names.

Importantly, no Social Security numbers, financial details, passwords, dates of birth, home addresses, or other information that could lead to identity theft were exposed.

The unsecured information was limited to file names that included a patient’s first and last name along with one of the following:

  • A medical test name

  • A medical procedure or treatment name

  • A potential disease exposure

Frequently Asked Questions

What information was involved?

The unsecured information in the document was limited to a file name with patients’ first and last names and one of the following:

  • The patient’s medical test name
    Example: Y:\TEST-NAME\LAST, FIRST SP (test number).pdf

  • The patient’s medical procedure or treatment name
    Examples: \WVU\Clinical practice\medical procedure\ FIRST, LAST NAME
    WVU\Clinical practice\procedure\letters\date\LAST NAME, FIRST

  • The patient’s potential exposure to a disease
    Example: \WVU\Clinical practice\DATE\LAST NAME, FIRST (potential disease exposure)

Only the file name was disclosed and not the contents of the file or any medical records. The data did not include Social Security numbers, personal financial information, dates of birth, home addresses, account numbers, passwords or any other information that could be used for identity theft purposes.

Where was the data available?

A file containing a limited amount of personal information was inadvertently made available on a public-facing website that is used by software developers to store, track and collaborate on projects.

Who had access to the data?

Any member of the software development website community had access to the data while it was posted publicly to the site.

What actions did WVU take when alerted that the data was public?

All information on the website was deleted from public view on Nov. 28, 2022. WVU has provided notifications to the individuals personally affected by this data breach and provided them with additional information and instructions for safeguarding their information. The University also is conducting a thorough review of our information security and privacy policies to ensure incidents such as this one do not happen in the future.

My information was included in this incident. Is there anything I should do to protect my data?

At this time, we have no indication that patients’ personal information has been misused. However, patients involved in this incident are encouraged to monitor their personal records to ensure there is no suspicious use or misuse of their information.

Is there someone I can contact with questions?

Patients who have questions or concerns about this incident are asked to contact the WVU Health Sciences Risk Management and Privacy Office toll-free at 1-888-825-1401 (8:15 a.m. to 4:45 p.m.)