Breach Incident: Website Exposes DataWeb Search Reveals Vulnerable Database
The accessibility of the online database was discovered when someone conducting a web search for a mailing address to invite a relative to a wedding found the relative's name, address, birth date, Social Security number, patient ID and other information on the website, according to a statement from West Virginia Attorney General Darrell McGraw. The website, WVChamps.com, was designed for respiratory and pulmonary rehabilitation for seniors.
The attorney general was alerted of the problem and notified the hospital, which immediately shut down the site and alerted Internet search engines to remove any data that could have been accessible.
Patient information on the website had been accessed 94 times since Sept. 1, 2010, including hits from the attorney general's office and hospital staff, according to the attorney general's statement. So far, no cases of identity theft related to the information have been identified.
Privacy Safeguards"As a result of discussions with the attorney general's consumer protection division, officers at CAMC have agreed to a number of measures to safeguard the information that was compromised, protect against further breaches and ensure that the hospital's other websites are secure," according to the attorney general's statement. In addition, the hospital has hired New York-based Bonadio Group to conduct a security assessment.
The hospital is offering the 3,655 affected patients one year's worth of free credit monitoring.
The database on the website was created by a third-party contractor, which overlooked a vulnerability that potentially left data in one section exposed if someone were to conduct an advanced Internet search, the hospital said in a statement.
"The site was not advertised, not linked to, had limited availability to care providers and could only be accessed through an advanced search," the hospital said. "However, we cannot be sure the site has not been improperly accessed."
The HITECH Act breach notification rule requires that breaches affecting 500 or more be reported to federal authorities as well as the individuals involved within 60 days.