Health data breach may impact 1,300 Meadville Medical Center patients

Oct. 18—Some personal information of about 1,300 Meadville Medical Center (MMC) patients may be at risk because of a May patient care data breach involving 15 million individuals worldwide.

MMC's announcement was made Tuesday regarding Westat Inc., which provides a variety of data collection and management services to several organizations as part of the National Hospital Care Survey (NHCS).

NHCS collects data on patient care in hospital-based settings to describe patterns of health care delivery and utilization in the United States.

Meadville Medical Center participates in and provides certain patient information to Westat for the purpose of collecting health care statistics related to public health, according to Marc Gibbs, the hospital's chief information officer.

"It's information from here that's sent on to HHS [U.S. Department of Health and Human Services] and the CDC [the Centers for Disease Control and Prevention]," Gibbs said Tuesday.

On May 30, Westat detected unusual activity occurring in a third-party software vendor that impacted a large number of companies across various industries.

When Westat detected the unusual activity, it took immediate security steps with the assistance of third-party forensic specialists, conducting an investigation to determine the nature and scope of the activity.

Gibbs said the breach involved the MOVEit software by Progress Software Corp., which is used by Westat.

"Unfortunately, some patient identification information was involved," he said.

Progress MOVEit is a leading secure managed file transfer software used by organizations around the world.

It is believed that around the end of May, Russian computer hackers found and exploited a vulnerability in Progress Software's MOVEit file transfer application, according to Gibbs.

"It was about 1,300 patients' [files] at Meadville Medical Center — Titusville [Area Hospital] wasn't affected," he said Tuesday. "It was found [by Westat] May 30 and it would be records within five days prior."

Asked about the delay in announcing the May breach until now, Gibbs said it was due to Westat needing to get approval from the federal Department of Health and Human Services to send out notifications.

Westat is notifying individuals who may have had their information accessed, and is offering 12 or 24 months of credit monitoring.

Individuals seeking information may contact Westat, toll-free, by calling (888) 998-8671.

Keith Gushard can be reached at (814) 724-6370 or by email at