West Virginia Attorney General Darrell McGraw today announced actions by his office and the Charleston Area Medical Center (CAMC) to secure the private information of 3655 patients affected by a data breach on a website set up for CAMC. The breach occurred within the research subsidiary of CAMC – the CAMC Health Education Research Institute (CHERI).
As a result of discussions with the Attorney General’s Consumer Protection Division, officers at CAMC have agreed to a number of measures to safeguard the information that was compromised, protect against further breaches, and ensure that the hospital’s other websites are secure. CAMC has hired the Bonadio Group, a New York-based risk management group, for its security assessment.
“After learning of this security breach, my Consumer Protection Division immediately had the compromised website shut down,” Attorney General McGraw said. “Data security is critical to our citizens and protecting it is a priority with my office.”
Patients in the affected database will receive a notification packet from CAMC with a letter detailing actions for victims to take, identity protection and security freeze publications from the Attorney General’s Office and the FTC, and information on special data security services to be offered by the hospital.
The breach was discovered last week by Lorrie Lane, an employee of People’s Federal Credit Union in Nitro, during a telephone conversation with her brother-in-law. The brother-in-law had done an online search for an address so that he could invite a relative to a family wedding. He found that the relative’s name, address, birth date, Social Security number, patient ID and other sensitive data was easily accessible on WVChamps.com, a CAMC website relating to respiratory and pulmonary rehabilitation for seniors.
Ms. Lane, who works with customers on mortgage applications, recognized that allowing such sensitive personal information to be unsecured is a dangerous identity theft problem and therefore immediately alerted the Attorney General’s Office.
Patient information on WVChamps.com had been accessed 94 times, including hits from the Attorney General’s Office and CAMC staff, since the reports were first posted on September 1, 2010. Although no instances of identity theft have yet been identified, the Attorney General’s Office is monitoring the situation for any illicit use of patient data.
CAMC will offer victims of its data breach: an option to place a security freeze on their credit reports, paid by CAMC; a one-year enrollment in the “Gold ID Portal Plan,” a comprehensive credit report monitoring plan from Equifax with $1 million of theft identity protection; and a call center with a toll-free number for questions about the breach. Additionally, the Attorney General’s Office will run free credit reports for anyone whose information was included in the compromised website’s report.
An audit showed that Google was the only search engine whose “bots” had visited the WVChamps website. Announcement of the breach was withheld until it could be verified that all of Google’s search caches had been cleared and that the data was no longer accessible online. There is no evidence that other search engines retained any of the data.
West Virginia consumers who suspect that their personal data has been compromised can contact the Attorney General’s Office by calling the Consumer Protection Hot Line, 1-800-368-8808 , or by calling 1-855-388-6699 , a toll-free hot line set up by CAMC. Consumers may also obtain a complaint form from the Attorney General’s consumer web page at www.wvago.gov.
The Office of Inadequate Security
