From The Sip Trunking Experts

TMCNet:  CAMC acknowledges patient data vulnerability

[February 16, 2011]

CAMC acknowledges patient data vulnerability

Feb 16, 2011 (Charleston Daily Mail - McClatchy-Tribune Information Services via COMTEX) -- Charleston Area Medical Center issued this press release this morning describing a security breach at the hospital: We wanted to let you know about a security incident that occurred at Charleston Area Medical Center's Research Institute, which involved the personal information of some of our patients.

On February 8, 2011, we learned that one of our databases containing information about 3655 patients had security vulnerability. The database was constructed in September 2010, by a third party information technology contractor. It was intended to help us evaluate and treat patients in an outpatient setting, to reduce unnecessary hospitalizations.

Unfortunately, the technology contractor overlooked a vulnerability that potentially left data in one section of the database exposed if someone were to conduct an advanced Internet search. Fortunately, a family member of one the patients alerted the West Virginia Attorney General's Consumer Protection Division to the problem and that Office, in turn, alerted the CAMC Health Education and Research Institute.

All access to the database was immediately blocked. We also worked with the Internet search engines to remove any data that could have been accessible through the web, even though, other than the person who discovered the problem, we have no reason to believe anyone else improperly accessed the data base.

The database contained the names, contact details, Social Security numbers, and dates of birth of patients, along with certain basic clinical information about some of them.

The database was a separate system and was not linked to any other systems within our hospital network. As such, our other systems containing personal information were not impacted by this situation.

Although we have not identified any instances of identity theft relating to this situation, we nevertheless recognize that this can be a concern for individuals whose data may have been subject to unauthorized access. We are accordingly offering all of the patients whose data was potentially exposed a full year of credit monitoring at our cost, through one of the three national credit bureaus, Equifax.

The plan that is being offered is Equifax's premium gold Three-in-One Credit Monitoring plan. In addition, CAMC is also offering to pay for the patients to apply a security freeze at all three national credit bureaus, to block any unauthorized persons from taking out new credit in their name.

Because identity theft can happen in many ways, we also included with the notification letters an Identity Theft Fact Sheet, as well as pamphlets about identity theft which were provided by the West Virginia Attorney General's Office and the U.S. Federal Trade Commission. The booklet from the Attorney General's Office also contains information on how to apply a security freeze, which provides even greater protection against identity theft than credit monitoring. CAMC is also offering to reimburse patients for the cost of applying for a security freeze.

We have also set up a toll free number to answer any questions that you may have and to provide additional information to you about credit monitoring or security freezes. Patients may call 1-855-388-6699 during normal business hours (weekdays, from 8 am to 5 pm, Eastern Standard Time).

We recognize that the confidence of our patients and the community may be shaken because of the action of our vendor and we are deeply sorry for that. Please be assured that we have worked around the clock with assistance from external privacy and security advisors to evaluate and address this situation, and taken actions to ensure appropriate safeguards will be put in place throughout our organization to protect the personal data that we collect and hold about our patients and other individuals.

The West Virginia Attorney General's Office issued this comment: Mistake on medical website left private data unsecured CHARLESTON -- West Virginia Attorney General Darrell McGraw today announced actions by his office and the Charleston Area Medical Center (CAMC) to secure the private information of 3655 patients affected by a data breach on a website set up for CAMC. The breach occurred within the research subsidiary of CAMC -- the CAMC Health Education Research Institute (CHERI).

As a result of discussions with the Attorney General's Consumer Protection Division, officers at CAMC have agreed to a number of measures to safeguard the information that was compromised, protect against further breaches, and ensure that the hospital's other websites are secure. CAMC has hired the Bonadio Group, a New York-based risk management group, for its security assessment.

"After learning of this security breach, my Consumer Protection Division immediately had the compromised website shut down," Attorney General McGraw said. "Data security is critical to our citizens and protecting it is a priority with my office." Patients in the affected database will receive a notification packet from CAMC with a letter detailing actions for victims to take, identity protection and security freeze publications from the Attorney General's Office and the FTC, and information on special data security services to be offered by the hospital.

The breach was discovered last week by Lorrie Lane, an employee of People's Federal Credit Union in Nitro, during a telephone conversation with her brother-in-law. The brother-in-law had done an online search for an address so that he could invite a relative to a family wedding. He found that the relative's name, address, birth date, Social Security number, patient ID and other sensitive data was easily accessible on, a CAMC website relating to respiratory and pulmonary rehabilitation for seniors.

Ms. Lane, who works with customers on mortgage applications, recognized that allowing such sensitive personal information to be unsecured is a dangerous identity theft problem and therefore immediately alerted the Attorney General's Office.

Patient information on had been accessed 94 times, including hits from the Attorney General's Office and CAMC staff, since the reports were first posted on September 1, 2010. Although no instances of identity theft have yet been identified, the Attorney General's Office is monitoring the situation for any illicit use of patient data.

CAMC will offer victims of its data breach: an option to place a security freeze on their credit reports, paid by CAMC; a one-year enrollment in the "Gold ID Portal Plan," a comprehensive credit report monitoring plan from Equifax with $1 million of theft identity protection; and a call center with a toll-free number for questions about the breach. Additionally, the Attorney General's Office will run free credit reports for anyone whose information was included in the compromised website's report.

An audit showed that Google was the only search engine whose "bots" had visited the WVChamps website. Announcement of the breach was withheld until it could be verified that all of Google's search caches had been cleared and that the data was no longer accessible online. There is no evidence that other search engines retained any of the data.

West Virginia consumers who suspect that their personal data has been compromised can contact the Attorney General's Office by calling the Consumer Protection Hot Line, 1-800-368-8808, or by calling 1-855-388-6699, a toll-free hot line set up by CAMC. Consumers may also obtain a complaint form from the Attorney General's consumer web page at For regular consumer news updates, follow the AGO on Facebook and Twitter (AGWestV).

This is the Daily Mail's original story: CHARLESTON, W.Va.--Information on 3,655 patients at an area hospital may have fallen into the wrong hands, but state officials are staying mum about what information, which hospital and who has it until later today.

Attorney General Darrell McGraw will hold a press conference this morning to detail information "concerning a data breach at a Kanawha County hospital affecting the personal information of more than 3,600 area residents," his office said in a Tuesday morning press release.

At attempt to contact each major area hospital did not reveal which had been affected.

Jim Strawn, a spokesman for Highland Hospital, said, "I haven't heard a thing" and indicated the hospital in question likely was not Highland.

Paige Johnson, a spokeswoman for Thomas Memorial and St. Francis, returned a call and left a message with a reporter but then could not be contacted again Tuesday evening.

Dale Witte, a spokesman for Charleston Area Medical Center, did not reply to several numbers left on his pager or to voicemails.

Fran Hughes, the chief deputy attorney general, said the office couldn't say more because state officials were working out arrangements with the hospital about what to do. Those arrangements may include setting up a hotline for victims of the data breach or giving people information about how to check their credit ratings in the event their identities are at risk.

Hughes said she didn't want to hamper settlement negotiations with the hospital or negatively affect consumers.

"I'm not going to preemptively do something that will interfere with that process," Hughes said. "We would have revealed it instantaneously when we found out, but there are steps that have to be taken." Identity theft is an increasingly common problem as hackers breach what are supposedly secure data held by banks, colleges, hospitals and government agencies. At the same time, Americans are voluntarily posting previously hard-to-obtain information about themselves on websites.

The Federal Trade Commission estimates as many as 9 million Americans have their identities stolen every year.

"You may not find out about the theft until you review your credit report or a credit card statement and notice charges you didn't make -- or until you're contacted by a debt collector," a FTC website said.

Contact writer Ry Rivard at or 304-348-1796.

To see more of the Charleston Daily Mail, or to subscribe to the newspaper, go to Copyright (c) 2011, Charleston Daily Mail, W.Va.

Distributed by McClatchy-Tribune Information Services. For more information about the content services offered by McClatchy-Tribune Information Services (MCT), visit

[ Back To SIP Trunking Home's Homepage ]

Subscribe here for your FREE
SIP TRUNKING enewslettter.

Featured Partner

Featured Whitepapers

SIP Security for the Enterprise
Voice over IP (VoIP) is incorporated into a variety of computer networks, both public and private, and used for everyday transactions and communications among carriers, businesses, government agencies...

Making A Broadband Purchase Decision
Businesses today have many options for broadband connectivity. Clarifying your particular business needs prior to selecting a broadband provider will ensure an optimal match of broadband service to your requirements.

Voice-Optimized Network Delivers Premier Call Experience
Customers equate call quality with business quality. Real-time communication, interpersonal interaction, and the cordial tone of a call center representative can create a positive impression of your business that no email can match.

Featured Case Studies

Business Telecom Expenses Reduced 50%
A small to medium sized company in the midwest was interested in migrating to IP Communications, but in today's economy, they were hesitant to upgrade their communication system due to their perception that the cost would outweigh the benefits.

Multi-State Company Cuts Telecom Costs 50%
A multi-site, multi-state company with extensive monthly long distance fees and toll-free charges did not have adequate broadband for Broadvox SIP Trunking requirements, nor did they have a SIP enabled telephone system.

Discover Leisure Connects Remote Users to its IP-PBX
Discover Leisure is one of the largest resellers of caravans and motor homes in the UK. With 15 branch of?ces all over the country, the company spent a great deal of money every month just on internal phone calls.

Featured eBOOKS

Internet+: The Way Toward Global Unified Communication
Connecting the telephony of the enterprise PBX or Unified Communications (UC) system using SIP trunks instead of conventional telephone lines has been very successful in recent years.

What is SIP Trunking? Edition 2
SIP trunking is becoming more of a focus for service providers. One key issue many service providers face when deploying SIP trunks is NAT, or Network Address Translation, traversal.

What is SIP Trunking? Edition 1
A vast resource for information about all things SIP - including SIP, security, VoIP, SIP trunking and Unified Communications.

Featured Videos

Broadvox VAR Testimonial VAR 1:
Part 1 of the VAR (Value Added Reseller) Partner Program Testimonials for Broadvox...

E-SBCs AS The Demarcation Point:
Ingate's Steve Johnson talks to Erik Linask about the role session border controller plays as the demarcation point at...

Demystifying DPI
How can deep packet inspection protect your SIP traffic as well as your entire network?

Featured Resources

Partner Program Overview:
Over 4,000 VARs, Master Agents, Solution Providers, and Independent IT Professionals trust Broadvox. We offer customized services and solutions to fit seamlessly into any company's business model. And when you partner with Broadvox, every member of our team stands behind you and your customers 100%...

SIP Trunk UC Summit

What's New

Presenting the New Ingate/Intertex Website:
Internet+ is an extended Internet access allowing high quality SIP (Session Initiation Protocol) based real-time person-to-person communication, everywhere and for any application. It applies to both fixed and mobile networks ...

Featured Blogs

Featured Webinars

Secure SIP Trunking:
What You Need to Know

Successfully Deploying Enterprise SIP Trunking:
Tools and Techniques for Overcoming Common Roadblocks

Featured Podcasts

Getting the Most Out of Your SIP Trunks:
Ingate's Steve Johnson and TMC's Erik Linask discuss how best practices forgetting the most out of SIP Trunking services and common pitfalls to avoid.

Featured Datasheets

Ingate SIParator E-SBCs
Adopting SIP is a simple process with the Ingate SIParator, the secure enterprise session border controller (E-SBC). The SIParator makes secure SIP communications - including VoIP,SIP trunking and more - possible while working seamlessly with your existing network firewall.

Ingate Firewalls
Everyone is talking about enterprise usage of VoIP, instant messaging and other types of realtime communications including presence and conferencing.

SIP Trunk Solutions for Service Providers
The award-winning Ingate Firewall and Ingate SIParator deliver a high quality, reliable SIP trunk connection between the customer's IP-PBX and the service provider network, and solve interoperability issues to simplify deployments and support for remote diagnosis of reported issues.