CAMC acknowledges patient data vulnerability
Feb 16, 2011 (Charleston Daily Mail - McClatchy-Tribune Information Services via COMTEX) --
Charleston Area Medical Center issued this press release this morning describing a security breach at the hospital:
We wanted to let you know about a security incident that occurred at Charleston Area Medical Center's Research Institute, which involved the personal information of some of our patients.
On February 8, 2011, we learned that one of our databases containing information about 3655 patients had security vulnerability. The database was constructed in September 2010, by a third party information technology contractor. It was intended to help us evaluate and treat patients in an outpatient setting, to reduce unnecessary hospitalizations.
Unfortunately, the technology contractor overlooked a vulnerability that potentially left data in one section of the database exposed if someone were to conduct an advanced Internet search. Fortunately, a family member of one the patients alerted the West Virginia Attorney General's Consumer Protection Division to the problem and that Office, in turn, alerted the CAMC Health Education and Research Institute.
All access to the database was immediately blocked. We also worked with the Internet search engines to remove any data that could have been accessible through the web, even though, other than the person who discovered the problem, we have no reason to believe anyone else improperly accessed the data base.
The database contained the names, contact details, Social Security numbers, and dates of birth of patients, along with certain basic clinical information about some of them.
The database was a separate system and was not linked to any other systems within our hospital network. As such, our other systems containing personal information were not impacted by this situation.
Although we have not identified any instances of identity theft relating to this situation, we nevertheless recognize that this can be a concern for individuals whose data may have been subject to unauthorized access. We are accordingly offering all of the patients whose data was potentially exposed a full year of credit monitoring at our cost, through one of the three national credit bureaus, Equifax.
The plan that is being offered is Equifax's premium gold Three-in-One Credit Monitoring plan. In addition, CAMC is also offering to pay for the patients to apply a security freeze at all three national credit bureaus, to block any unauthorized persons from taking out new credit in their name.
Because identity theft can happen in many ways, we also included with the notification letters an Identity Theft Fact Sheet, as well as pamphlets about identity theft which were provided by the West Virginia Attorney General's Office and the U.S. Federal Trade Commission. The booklet from the Attorney General's Office also contains information on how to apply a security freeze, which provides even greater protection against identity theft than credit monitoring. CAMC is also offering to reimburse patients for the cost of applying for a security freeze.
We have also set up a toll free number to answer any questions that you may have and to provide additional information to you about credit monitoring or security freezes. Patients may call 1-855-388-6699 during normal business hours (weekdays, from 8 am to 5 pm, Eastern Standard Time).
We recognize that the confidence of our patients and the community may be shaken because of the action of our vendor and we are deeply sorry for that. Please be assured that we have worked around the clock with assistance from external privacy and security advisors to evaluate and address this situation, and taken actions to ensure appropriate safeguards will be put in place throughout our organization to protect the personal data that we collect and hold about our patients and other individuals.
The West Virginia Attorney General's Office issued this comment:
Mistake on medical website left private data unsecured
CHARLESTON -- West Virginia Attorney General Darrell McGraw today announced actions by his office and the Charleston Area Medical Center (CAMC) to secure the private information of 3655 patients affected by a data breach on a website set up for CAMC. The breach occurred within the research subsidiary of CAMC -- the CAMC Health Education Research Institute (CHERI).
As a result of discussions with the Attorney General's Consumer Protection Division, officers at CAMC have agreed to a number of measures to safeguard the information that was compromised, protect against further breaches, and ensure that the hospital's other websites are secure. CAMC has hired the Bonadio Group, a New York-based risk management group, for its security assessment.
"After learning of this security breach, my Consumer Protection Division immediately had the compromised website shut down," Attorney General McGraw said. "Data security is critical to our citizens and protecting it is a priority with my office."
Patients in the affected database will receive a notification packet from CAMC with a letter detailing actions for victims to take, identity protection and security freeze publications from the Attorney General's Office and the FTC, and information on special data security services to be offered by the hospital.
The breach was discovered last week by Lorrie Lane, an employee of People's Federal Credit Union in Nitro, during a telephone conversation with her brother-in-law. The brother-in-law had done an online search for an address so that he could invite a relative to a family wedding. He found that the relative's name, address, birth date, Social Security number, patient ID and other sensitive data was easily accessible on WVChamps.com, a CAMC website relating to respiratory and pulmonary rehabilitation for seniors.
Ms. Lane, who works with customers on mortgage applications, recognized that allowing such sensitive personal information to be unsecured is a dangerous identity theft problem and therefore immediately alerted the Attorney General's Office.
Patient information on WVChamps.com had been accessed 94 times, including hits from the Attorney General's Office and CAMC staff, since the reports were first posted on September 1, 2010. Although no instances of identity theft have yet been identified, the Attorney General's Office is monitoring the situation for any illicit use of patient data.
CAMC will offer victims of its data breach: an option to place a security freeze on their credit reports, paid by CAMC; a one-year enrollment in the "Gold ID Portal Plan," a comprehensive credit report monitoring plan from Equifax with $1 million of theft identity protection; and a call center with a toll-free number for questions about the breach. Additionally, the Attorney General's Office will run free credit reports for anyone whose information was included in the compromised website's report.
An audit showed that Google was the only search engine whose "bots" had visited the WVChamps website. Announcement of the breach was withheld until it could be verified that all of Google's search caches had been cleared and that the data was no longer accessible online. There is no evidence that other search engines retained any of the data.
West Virginia consumers who suspect that their personal data has been compromised can contact the Attorney General's Office by calling the Consumer Protection Hot Line, 1-800-368-8808, or by calling 1-855-388-6699, a toll-free hot line set up by CAMC. Consumers may also obtain a complaint form from the Attorney General's consumer web page at http://www.wvago.gov/. For regular consumer news updates, follow the AGO on Facebook and Twitter (AGWestV).
This is the Daily Mail's original story:
CHARLESTON, W.Va.--Information on 3,655 patients at an area hospital may have fallen into the wrong hands, but state officials are staying mum about what information, which hospital and who has it until later today.
Attorney General Darrell McGraw will hold a press conference this morning to detail information "concerning a data breach at a Kanawha County hospital affecting the personal information of more than 3,600 area residents," his office said in a Tuesday morning press release.
At attempt to contact each major area hospital did not reveal which had been affected.
Jim Strawn, a spokesman for Highland Hospital, said, "I haven't heard a thing" and indicated the hospital in question likely was not Highland.
Paige Johnson, a spokeswoman for Thomas Memorial and St. Francis, returned a call and left a message with a reporter but then could not be contacted again Tuesday evening.
Dale Witte, a spokesman for Charleston Area Medical Center, did not reply to several numbers left on his pager or to voicemails.
Fran Hughes, the chief deputy attorney general, said the office couldn't say more because state officials were working out arrangements with the hospital about what to do. Those arrangements may include setting up a hotline for victims of the data breach or giving people information about how to check their credit ratings in the event their identities are at risk.
Hughes said she didn't want to hamper settlement negotiations with the hospital or negatively affect consumers.
"I'm not going to preemptively do something that will interfere with that process," Hughes said. "We would have revealed it instantaneously when we found out, but there are steps that have to be taken."
Identity theft is an increasingly common problem as hackers breach what are supposedly secure data held by banks, colleges, hospitals and government agencies. At the same time, Americans are voluntarily posting previously hard-to-obtain information about themselves on websites.
The Federal Trade Commission estimates as many as 9 million Americans have their identities stolen every year.
"You may not find out about the theft until you review your credit report or a credit card statement and notice charges you didn't make -- or until you're contacted by a debt collector," a FTC website said.
Contact writer Ry Rivard at firstname.lastname@example.org or 304-348-1796.
To see more of the Charleston Daily Mail, or to subscribe to the newspaper, go
to http://www.dailymail.com. Copyright (c) 2011, Charleston Daily Mail, W.Va.
Distributed by McClatchy-Tribune Information Services. For more information
about the content services offered by McClatchy-Tribune Information Services
(MCT), visit www.mctinfoservices.com.
[ Back To Mobile Security Homepage's Homepage ]