Notice of Data Privacy Incident

We are providing notice of recent incidents that may affect the privacy of some personal and/or medical information collected from MUSC Health locations. 

College of Dental Medicine Provides Notice of Privacy Incident

The Medical University of South Carolina’s (MUSC’s) College of Dental Medicine (CDM) recently became aware of an incident in which the first and last names of some individuals were inadvertently disclosed to another individual.

What Happened? On September 15, 2023, we discovered that an email, sent on September 14, 2023, inviting some patients to our new dental patient portal were mistakenly sent to another individual.

What Information Was Involved? After conducting a thorough investigation, we determined that the email only contained first and last names. The email did not include or provide access to other personal, financial or treatment information.

What Are We Doing? We take patient privacy seriously and are engaging in additional staff education and training to help prevent similar occurrences.

What Can You Do? We are notifying you out of an abundance of caution, in compliance with our current policies. No action on your behalf is necessary as we do not anticipate that you will suffer any harm as a result of this matter.

We have set up a dedicated, toll-free call center for patients to call with questions. This service is available Monday through Friday between 9 a.m. and 6:30 p.m. Eastern Standard Time at (866) 347-8591.

Westat Inc. Provides Notice of Data Privacy Incident

Westat provides research support and services pursuant to hospital and provider contracts with certain governmental agencies, including Medical University Hospital Authority’s MUSC Health hospitals. Westat Inc. (“Westat”) is providing notice of a recent incident that may affect the privacy of some personal and/or medical information collected from Medical University Hospital Authority’s hospitals. Westat is unaware of any misuse of individual information and is providing this notice out of an abundance of caution.

Westat utilized MOVEit Transfer (“MOVEit”) third-party software to manage data it collected and/or maintained on behalf of other organizations. On May 30, 2023, Westat detected unusual activity occurring in its MOVEit instance. Westat immediately took steps to ensure the security of its environment. The following day, MOVEit announced a software vulnerability had affected many companies across various industries. With the assistance of third-party forensic specialists, Westat investigated to determine the nature and scope of the activity.

The investigation determined that certain data stored on the MOVEit server may have been copied without authorization between May 28 and May 29. Westat conducted a detailed review of data involved to determine the type of information that was present and to whom it related. This review confirmed that certain information belonging to medical providers was present in the affected data and was accessed or acquired during the MOVEit incident. Upon completion of this analysis, Westat notified governmental agency partners and affected medical providers and is now providing notification to affected individuals at the direction of certain medical providers involved.

The types of personal information that may have been copied by the unauthorized actor include patient demographics such as name, address, medical record number, provider name(s), dates of service and date of birth; insurance coverage details; and patient diagnosis codes related to patients’ hospital visits.

Westat takes the incident and security of personal information in its care seriously. Since discovering this incident, Westat launched an extensive investigation, working with third-party specialists to assess the security of relevant systems and reduce the likelihood of a similar incident in the future. As part of its ongoing commitment to the privacy of personal information in its care, Westat is working to review its existing policies and procedures and implement additional administrative and technical safeguards to secure all information further. Westat also notified federal law enforcement, the U.S. Department of Health and Human Services and other regulators, as required.

Westat is unaware of the misuse of any personal information related to this incident. Out of an abundance of caution, individuals potentially affected by this incident are encouraged to remain vigilant against incidents of identity theft by reviewing account statements and explanations of benefits for unusual activity. Any suspicious activity should immediately be reported to the appropriate insurance company, health care provider or financial institution.

Beginning October 13, 2023, Westat will begin mailing letters to affected individuals. Individuals seeking additional information regarding this incident may call Westat’s dedicated toll-free number at 888-998-8671 available Monday through Friday between 9 a.m. and 9 p.m. Eastern Time. If you believe your information may have been involved but do not receive a letter, please contact the call center.

Westat is committed to safeguarding personal information and will continue its ongoing efforts to enhance the protections already in place to secure the information in its care.