WVU Medicine, the academic health system affiliated with West Virginia University, suffered data breaches in 2023 through two third-party vendors. One incident involved unauthorized access to the ECHO Provider Services portal, exposing patient names and insurance details. A separate vendor breach was far broader in scope, ultimately compromising approximately 2.9 million records. The more extensive breach exposed a serious combination of personal, financial, and medical information: names, home addresses, email addresses, phone numbers, Social Security numbers, account balances, and medical diagnoses. This combination is particularly dangerous. Social Security numbers enable identity theft and fraudulent credit activity, while medical diagnoses paired with account balances can be used to craft highly targeted scams that exploit a patient's health condition or outstanding bills. WVU Medicine notified affected patients and reported both incidents to regulators as required under HIPAA, the federal law governing the privacy of patient health information. No major settlement or public enforcement action specific to these breaches has been documented. Affected individuals face elevated long-term risk of identity theft, medical fraud, and insurance abuse, and should closely monitor their credit reports, explanation-of-benefits statements, and any financial accounts for suspicious activity.

Healthcare systems and hospital networks aggregate patient identity, contact, billing, insurance, and diagnosis data across clinical and vendor-connected systems.

WVU Medicine has continued expanding its clinical and community health services across West Virginia. The system has invested in rural health access and telehealth infrastructure to serve a dispersed patient population. No major organizational changes beyond the breach context have been prominently reported.