West Virginia University last week informed its campus of a data breach involving patient information, and while patients’ medical records were not exposed, the file names of the medical records were accessed by external parties, a university press release said.
The data was inadvertently shared publicly on a website that was used by software developers as a code repository, West Virginia University Chief Information Officer Brice Knotts told EdScoop in an email. He declined to name the website used, but according to the university notice, the website was “set up in December 2021.” According to the notice, the university was informed of the breach on Nov. 25 and it “deleted from public view” all information by Nov. 28.
“Unfortunately the repository was misconfigured to be publicly accessible and was available to users of the repository service,” Knotts wrote. “It was not intended for the development community to see or work on.”
A university investigation confirmed that a document containing the file names of more than 500 patients’ medical records was downloaded by members of the software development community, who were not university staff.
“As mentioned in our press release, only the file name was disclosed and not the contents of the file or patient medical records. The documents did not link back to patients’ actual medical files,” Knotts wrote in his email.
Knotts told StateScoop the university reported the incident to the Department of Health and Human Services and notified affected individuals.