Westat provides research support and services pursuant to hospital and provider contracts with certain governmental agencies, including Medical University Hospital Authority’s MUSC Health hospitals. Westat Inc. is providing notice of a recent incident that may affect the privacy of some personal and/or medical information collected from Medical University Hospital Authority’s hospitals. Westat is unaware of any misuse of individual information and is providing this notice out of an abundance of caution.
Westat utilized MOVEit Transfer third-party software to manage data it collected and/or maintained on behalf of other organizations. On May 30, 2023, Westat detected unusual activity occurring in its MOVEit instance. Westat immediately took steps to ensure the security of its environment. The following day, MOVEit announced a software vulnerability had affected many companies across various industries. With the assistance of third-party forensic specialists, Westat investigated to determine the nature and scope of the activity.
The investigation determined that certain data stored on the MOVEit server may have been copied without authorization between May 28 and May 29. Westat conducted a detailed review of the data involved to determine the type of information that was present and to whom it was related. This review confirmed that certain information belonging to medical providers was present in the affected data and was accessed or acquired during the MOVEit incident. Upon completion of this analysis, Westat notified governmental agency partners and affected medical providers and is now providing notification to affected individuals at the direction of certain medical providers involved.
The types of personal information that may have been copied by the unauthorized actor include patient demographics such as name, address, medical record number, provider name(s), dates of service and date of birth; insurance coverage details; and patient diagnosis codes related to patients’ hospital visits.