WVU Medecine 2023 Data Breach

WVU Medicine Academic Health System Breach (2023): 2.9 Million Patient Records Including Medical Diagnoses & SSN | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Unauthorized AccessMedicalAccount BalanceEmail AddressFull NameMedical DiagnosisPhone NumberPhysical AddressSocial Security Number
Low SeverityWebsite / service breach

WVU Medicine Academic Health System Breach (2023): 2.9 Million Patient Records Including Medical Diagnoses & SSN

Academic health system affiliated with West Virginia University.

Verified by ObscureIQ Intelligence
0/100Breach Risk Index
63Data Value

Breach Intelligence Summary

Entity: WVU Medecine · Actor: Unknown · Sources: 2 references
Attack: Unauthorized Access
Profile: Healthcare provider · Hospital and clinical services · Academic health system · USA
Timeline: Breach (2023-05-31) · Year (2023)
Exposure: 2.9M records · 7 fields: Account Balance, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address, Social Security Number
Status: Reported

Executive Summary

WVU Medicine, the academic health system affiliated with West Virginia University, suffered data breaches in 2023 through two third-party vendors. One incident involved unauthorized access to the ECHO Provider Services portal, exposing patient names and insurance details. A separate vendor breach was far broader in scope, ultimately compromising approximately 2.9 million records. The more extensive breach exposed a serious combination of personal, financial, and medical information: names, home addresses, email addresses, phone numbers, Social Security numbers, account balances, and medical diagnoses. This combination is particularly dangerous. Social Security numbers enable identity theft and fraudulent credit activity, while medical diagnoses paired with account balances can be used to craft highly targeted scams that exploit a patient's health condition or outstanding bills. WVU Medicine notified affected patients and reported both incidents to regulators as required under HIPAA, the federal law governing the privacy of patient health information. No major settlement or public enforcement action specific to these breaches has been documented. Affected individuals face elevated long-term risk of identity theft, medical fraud, and insurance abuse, and should closely monitor their credit reports, explanation-of-benefits statements, and any financial accounts for suspicious activity.

ObscureIQ assessment: Severe risk. The combination of SSNs, home addresses, account balance data, and medical diagnosis supports identity theft, medical fraud, insurance abuse, and highly targeted scams exploiting health status or unpaid balances.

Breach Impact

In 2023 WVU Medicine was affected by breaches through two third-party vendors. One involved unauthorized access to the ECHO Provider Services portal, compromising patient information including names and insurance details. A separate vendor incident resulted in more extensive exposure including account balances, email addresses, home addresses, phone numbers, Social Security numbers, and medical diagnoses across approximately 2.9 million records. WVU Medicine notified affected patients and reported the incidents to regulators. As a covered entity under HIPAA, the system's vendor oversight obligations were implicated by both incidents. No settlement or major enforcement action specific to these breaches has been prominently documented in public sources.

About WVU Medecine

WVU Medicine is the academic health system affiliated with West Virginia University, operating hospitals, specialty clinics, and outpatient facilities across West Virginia and the surrounding region. Its flagship facility is J.W. Ruby Memorial Hospital in Morgantown. The system serves as the primary tertiary care provider for much of rural West Virginia and provides clinical training for WVU's health sciences programs.

Why They Hold Your Data

Healthcare systems and hospital networks aggregate patient identity, contact, billing, insurance, and diagnosis data across clinical and vendor-connected systems.

Recent Developments

WVU Medicine has continued expanding its clinical and community health services across West Virginia. The system has invested in rural health access and telehealth infrastructure to serve a dispersed patient population. No major organizational changes beyond the breach context have been prominently reported.

Data Points Exposed

7 verified field types
Account Balance High
Email Address
Full Name High
Medical Diagnosis Critical
Phone Number
Physical Address High
Social Security Number Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Identity theft and synthetic identity construction using government-issued IDs
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
  • Medical identity fraud or insurance abuse using health data
Threat vectors:
  • High-value targeting
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Medical extortion, insurance fraud & discrimination
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat
  • Full identity theft & synthetic identity fraud

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the WVU Medecine breach?

WVU Medicine, the academic health system affiliated with West Virginia University, suffered data breaches in 2023 through two third-party vendors. One incident involved unauthorized access to the ECHO Provider Services portal, exposing patient names and insurance details. A separate vendor breach…

What data was exposed?

Verified fields include Account Balance, Email Address, Full Name, Medical Diagnosis, Phone Number, Physical Address, Social Security Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation