West Virginia hospital breach exposes sensitive patient data

Attackers penetrated Weirton Medical Center’s networks and stole data on nearly 27,000 patients.

The attackers roamed Weirton‘s systems for at least four days in mid-January this year, the hospital revealed in a breach notification letter.

“[…] between January 14th 2024, and January 18th 2024, an unknown actor gained access to certain systems on our network and acquired certain files from these systems,” reads the hospitals’ notification.

A subsequent investigation into the attack revealed that attackers accessed a trove of sensitive details. According to information that the hospital submitted to the US Department of Health and Human Services Office for Civil Rights, 26,793 people were impacted by the attack.

Weirton claims that attackers may have accessed personal patient data such as:

  • Names
  • Social Security numbers
  • Dates of birth
  • Medical information
  • Health insurance information
  • Treatment information
  • Balance due on the medical bill

Attackers target hospitals precisely for this type of information, as individual healthcare data can be sold for hundreds of dollars on dark web forums.

For example, malicious actors can use medical details for medical identity theft, a type of fraud where threat actors use stolen information to submit forged claims to Medicare and other health insurers.

Meanwhile, other personally identifiable information (PII) may be used to commit fraud, from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

According to Weirton, the hospital has no evidence of actual attempts to misuse the exposed information. The organization also noted that its “electronic medical record (EMR) system is not hosted within Weirton’s network and was not impacted by this event.”

Weirton operates a 238-bed acute care hospital, serving patients from West Virginia, eastern Ohio and Western Pennsylvania The organization operates over 50 ancillary locations throughout the tri-state region and employs over 1400 people.