1. Home
  2. States
  3. West Virginia

West Virginia

Data breaches arise when unapproved individuals infiltrate computer systems and view confidential information without the owner's permission. The most common types of cyber attacks in West Virginia include hacking, identity theft, and the use of malware. In 2021, a ransomware attack compromised West Virginia's Morgan County Schools district. The hackers, who targeted office-based computers, demanded $70 million to unlock seized files. In 2022, 1,981 schools in the US experienced cyber attacks. These security attacks cost the higher education sector $3.7 million in 2023 alone. Most data breaches targeting universities and colleges center on the unauthorized acquisition of sensitive student data like school performance grades, median household income, suspensions, and even sexual assault records.

Identity Theft Statistics

Identity Theft
State Rank (Reports per 100K Population)
Identity Theft Reports
Fraud & Other
State Rank (Reports per 100K Population)
Total Fraud & Other Reports
Total Fraud Losses
Median Fraud Losses

Top Ten Report Categories

Imposter Scams
Prizes, Sweepstakes and Lotteries
Identity Theft
Telephone and Mobile Services
Online Shopping and Negative Reviews
Internet Services
Television and
Electronic Media
Banks and Lenders
Auto Related
Debt Collection

Top Identity Theft Types

Bank Fraud
Credit Card Fraud
Other Identity Theft
Employment or Tax-Related Fraud
Loan or Lease Fraud
Phone or Utilities Fraud
Government Documents or Benefits Fraud

West Virginia's Recent Biggest Data Breaches


Weirton Medical Center Data Breach

West Virginia's Weirton Medical Center experienced a cyber attack in January 2024. Between January 14 and 18, unauthorized persons infiltrated its computer system. The Center estimates that the data breach exposed the personal information of 26,793 clients. The hackers accessed data such as patients' names, health insurance information, Social Security numbers, treatment information, date of birth, and medical bill balance. Weirton Medical Center began informing its clients about the data breach on March 18, 2024. The establishment has also hired cyber security experts to investigate the data breach and implemented strict measures to prevent similar attacks from infiltrating its computer system in the future.


Citizens Bank Data Breach

Citizens Bank, located in Elkins, West Virginia, provides customers with assorted banking products and services. The institution experienced a cyber attack in 2023 between November 15 and 27. In this data breach, unauthorized parties accessed personal information belonging to the Bank's 35,000 customers. The institution has not disclosed the exact data type that the hackers accessed. Moreover, Citizens Bank began to notify clients whose personal data may have been compromised about the breach on March 18, 2024.


Montgomery General Hospital Data Breach

In 2023, West Virginia's Montgomery General Hospital experienced a cyber attack between February and March. Hackers launched a ransomware attack on the institution on February 28. Its IT personnel recognized the cyber attack and reported it to the FBI before engaging a security corporation to handle it. The hackers downloaded sensitive information concerning patients' treatment plans, medical histories, medical insurance data, and diagnoses. They also downloaded the hospital's employees' Social Security numbers, names, addresses, and pay rates. On March 31, the hackers contacted the hospital's executives and demanded $750,000 to keep the data private. When the executives rejected this offer, the hackers began to publish the data on the Dark Web. Montgomery General Hospital's executives then initiated private negotiations with the hackers to prevent them from publishing more private data. Its executives notified affected workers and patients about the breach within the 60-day limit stipulated by HIPAA regulations. The hospital also indicated that employees whose social security numbers were revealed by the hackers would receive complimentary identity and credit monitoring.


West Virginia University Medical Corporation Data Breach

In December 2021, the West Virginia University Medical Corporation experienced a cyber attack. During the data breach, ransomware hackers sabotaged the institution's timekeeping and payroll digital systems. For a few days, this attack prevented the organization from analyzing employee hours to determine the correct financial compensation for its workers. The West Virginia University Medical Corporation's public relations officials revealed that the hackers accessed its workers' social security numbers, dates of birth, full names, and current physical addresses. After the incident, the institution's executives employed cybersecurity experts to strengthen its information security system.


Monongalia Health Data Breach

Monongalia Health, a West Virginia-based health system, experienced a phishing attack that exposed protected health information in 2021. Its IT personnel immediately disabled a large percentage of its network activity. The institution's executives stressed that the data breach did not affect its EHR systems. Moreover, it exposed patients' account numbers, birth dates, Medicare claim numbers, providers, Social Security numbers, and employees' dates of service. The institution informed affected patients and employees about the security breach and offered them identity and credit monitoring services. Mon Health also engaged experienced security firms to implement additional technical security safeguards and measures to monitor its computer systems and prevent further attacks.

What Should You Do if You Are in a Breach?

Unfortunately, data breaches are pretty common now, considering our online connections and dependence on digital service delivery. Criminals work in the shadows to steal your personal information, so sometimes, it's only when you notice certain signs that ongoing fraud becomes apparent. These danger signs apply to both individuals and businesses.

Credit Card Charges

If you find unauthorized transactions on your credit card, there is a significant possibility your phone number, email address, or card number has been compromised.

Calls from
Debt Collectors

Phone calls or letters from collection agencies seeking debt payment for a loan you do not remember taking are also signs of identity theft.

New Credit Cards
or Loans in Your Name

A new line of credit in your name or a loan taken is a warning sign you are a victim of identity theft.

Surprise Credit
Score Drops

Sudden credit drops with no obvious cause are a sign of suspicious activities.

Unusual Activity on Your
Social Security Account

The federal government also considers social security numbers personal identifiers, so check your social security statement regularly to ensure no one has access to benefits without consent.

Inability to
to Accounts

If you are locked out of the account, it is usually because someone has hacked into it and changed the password. You should immediately try all possible recovery options and contact customer support if all fails.

Step-by-Step Process for Responding to a Data Breach


Contact Local Law Enforcement

As an individual or a business, report the incident to the police and file a police report.


Assess and Secure Compromised Areas

Identify which aspects of your information have been affected, such as emails, passwords, credit card numbers, social security numbers, full names, and phone numbers.


Contain the Breach

Isolate the affected system to prevent further damage.


Create New, Strong Passwords for All Accounts

This may involve changing usernames and passwords for compromised platforms, using strong passwords with a mix of upper and lower-case letters, digits, and special characters.


Notify Affected Institutions

Inform your bank, credit card companies, and other affected institutions. Request they close or freeze any accounts that may be implicated in the breach to reduce financial risk.


Update Security on Digital Accounts

Change passwords for all accounts affected by the breach. Make sure each password is totally unique, and you use two-factor verification as an additional layer of security.


Check for Malware

Examine your computers and mobile devices for installed malware. Install robust antivirus software to detect and remove any viruses or malicious software.


Freeze Your Credit

In cases of identity theft, contact all credit bureaus to freeze your credit.


Monitor Your Mail and Credit Reports

Keep an eye out for any unauthorized changes in your mail.


Engage Legal Assistance When Applicable

If you are a business, consider hiring a law firm experienced in handling data breaches.

Responsibilities of Companies that Have Been Breached

West Virginia state regulations mandate that all organizations notify clients, patients, and employees in the event of a data breach. They should also specify whether the hack has resulted from random hackers or employee negligence. Based on West Virginia's data breach laws, personal information may include Social Security numbers, state identification card numbers, driver's license numbers, account numbers, debit and credit card numbers, access codes and passwords to financial accounts, and personal health information. State laws mandate that the data licensees or owners must be informed of data breaches as soon as possible after they occur. Organizations that experience cyber-attacks that affect more than 1000 citizens are expected to notify consumer reporting institutions and the state's Attorney General. All communication with data owners is to be done through established communication methods. Data owners may request that organizations illustrate how their information was obtained by hackers during data breaches. Moreover, affected organizations may delay in notifying data owners about breaches if law enforcement officials indicate that doing so will interfere with ongoing investigations into the cyber attack.


  • W.V. Code § 46A-2A-101, passed in 2008, establishes the protocol that organizations, business entities, and individuals are to use when a data breach is detected. It defines when and how entities should inform data owners about data breaches. It also specifies what personal data qualifies as personal information. Based on this Statute, business entities in West Virginia may provide substitute breach notifications to customers or clients under specific circumstances. These circumstances include when the cost of issuing data breach notifications surpasses $50,000 or the entity does not have adequate contact information to provide clients with standard notifications. Under this Statute, the West Virginia Attorney General may impose sanctions on business entities or entrepreneurs that do not adhere to these laws. These sanctions include a fine of $150,000 for every breach and civil penalties for business entities that violate the law repetitively.