Attorney General Darrell McGraw speaks Wednesday at a press conference regarding a patient security breach involving Charleston Area Medical Center. (Photo by Chris Dickerson)
CHARLESTON – The Attorney General's office announced Wednesday that a security breach involving Charleston Area Medical Center patients has been secured.
The breach occurred within CAMC's research subsidiary called CAMC Health Education Research Institute.
Attorney General Darrell McGraw's office said that the information from 3,655 patients was breached and had been available online since Sept. 1, 2010.
The information is now secure and CAMC is providing victims with comprehensive security assistance and identity protection.
Lorrie Lane of Nitro alerted the Attorney General's Office last week after she discovered it.
"My brother-in-law is getting married in July and we were looking up a family member's address on Google," Lane said. "He had typed in the family member's name and phone number and found the site in the search results."
Lane said it looked like a doctor's office Web site and listed peoples' names, addresses, dates of birth, phone numbers and Social Security numbers.
"The first thing that went through my mind was that if this information came into the wrong hands, someone's identity could easily be stolen," Lane said. "I know I wouldn't want my personal information out there."
Lane said she couldn't find a phone number on the Web site, so she decided to contact the Attorney General's Office.
McGraw said once the problem as identified, the Web site was shut down immediately.
"Data security is critical to our citizens and protecting it is a priority with my office," McGraw said.
The site was designed to help CAMC evaluate and treat patients in an outpatient setting and to reduce unnecessary hospitalizations. A mistake in the formatting of the database caused it to be able to be accessed without a password.
Deputy Attorney General Jill Miles said there is no time limit in West Virginia to notify victims, but the Attorney General's Office waited to notify the public because the information was cached by Google. She said they wanted to get all the information off before going public with the information.
Patients in the affected database will receive a notification packed from the hospital with a letter detailing actions for victims to take, identity protection and security publications from the Attorney General's Office and the FTC and information of special data security services to be offered by the hospital.
Patient information on the compromised Web site had been accessed 94 times, including hits from the Attorney General's Office and CAMC staff, since the reports were first posted in September. Although there have been no instances of identity theft reported, the Attorney General's Office is monitoring the situation for any illicit use of patient data.
CAMC will offer victims of the data breach an option to place a security freeze on their credit reports, paid by CAMC; a one-year enrollment in the "Gold ID Portal Plan," which is a comprehensive credit report monitoring plan from Equifax with $1 million of theft identity protection; and a call center with a toll-free number for questions about the breach.
The Attorney General's Office also will run free credit reports for anyone whose information was included in the compromised Web site's report.