Breach Incident: Website Exposes Data

Web Search Reveals Vulnerable Database
Breach Incident: Website Exposes Data
Charleston Area Medical Center in West Virginia is notifying nearly 4,000 patients of a health information breach incident involving personal information exposed on a research website.

The accessibility of the online database was discovered when someone conducting a web search for a mailing address to invite a relative to a wedding found the relative's name, address, birth date, Social Security number, patient ID and other information on the website, according to a statement from West Virginia Attorney General Darrell McGraw. The website,, was designed for respiratory and pulmonary rehabilitation for seniors.

The attorney general was alerted of the problem and notified the hospital, which immediately shut down the site and alerted Internet search engines to remove any data that could have been accessible.

Patient information on the website had been accessed 94 times since Sept. 1, 2010, including hits from the attorney general's office and hospital staff, according to the attorney general's statement. So far, no cases of identity theft related to the information have been identified.

Privacy Safeguards

"As a result of discussions with the attorney general's consumer protection division, officers at CAMC have agreed to a number of measures to safeguard the information that was compromised, protect against further breaches and ensure that the hospital's other websites are secure," according to the attorney general's statement. In addition, the hospital has hired New York-based Bonadio Group to conduct a security assessment.

The hospital is offering the 3,655 affected patients one year's worth of free credit monitoring.

The database on the website was created by a third-party contractor, which overlooked a vulnerability that potentially left data in one section exposed if someone were to conduct an advanced Internet search, the hospital said in a statement.

"The site was not advertised, not linked to, had limited availability to care providers and could only be accessed through an advanced search," the hospital said. "However, we cannot be sure the site has not been improperly accessed."

The HITECH Act breach notification rule requires that breaches affecting 500 or more be reported to federal authorities as well as the individuals involved within 60 days.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.