UW Medicine

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

In December 2018, UW Medicine experienced a significant data breach that exposed the personal information of approximately 974,000 patients. This incident was due to a vulnerability on a website server that made protected internal files accessible and visible by search on the internet from December 4, 2018. The files did not contain medical records, patient financial information, or Social Security numbers but included protected health information (PHI) that UW Medicine is legally required to track, such as names, medical record numbers, and details about the information shared, like office visits or labs, and the reason for the disclosure[1][7][14].

The breach was discovered on December 26, 2018, when a patient conducting a Google search for their own name found a file containing their information. UW Medicine immediately took steps to fix the error and worked with Google to remove the saved versions of the files from its servers by January 10, 2019. There was no evidence of misuse or attempted use of the information exposed in this incident[1][7][14].

In response to the breach, UW Medicine committed to reviewing its internal protocols and procedures to prevent such incidents from happening again. They reported the incident to the Office for Civil Rights and made a press announcement. Affected individuals were notified by mailed letters, and a call center and website were established to address patient concerns[1][7].

This breach was not the first time UW Medicine faced scrutiny for information security issues. In 2013, they reported a breach of about 90,000 patient records due to a malware infection, leading to a $750,000 settlement with the Department of Health and Human Services in 2015 for failing to adequately protect patient data[10][11][15].

The 2018 breach highlighted the importance of rigorous data security measures and the need for continuous improvement in protecting patient information against potential vulnerabilities and exposures.

Citations:

  1. https://newsroom.uw.edu/news-releases/data-error-exposes-patient-information
  2. https://privacy.uw.edu/take-action/report/
  3. https://www.healthcareitnews.com/news/fred-hutch-cancer-center-clinical-network-breached
  4. https://depts.washington.edu/comply/docs/comp_105.pdf
  5. https://komonews.com/news/local/seattle-data-breach-lawsuit-fred-hutchinson-hutch-cancer-center-uw-medicine-medical-center-harborview-hospital-valley-university-washington-physicians-neighborhood-clinics-primary-care-airlift-northwest-childrens-group-records-private-info
  6. https://www.washington.edu/healthcare-privacy/resources/breach-documentation-and-notification-process/
  7. https://www.fox13seattle.com/news/almost-1-million-uw-medicine-patients-information-exposed-in-data-breach
  8. https://www.washington.edu/healthcare-privacy/
  9. https://www.jdsupra.com/legalnews/uw-medicine-notifies-patients-of-fred-4171302/
  10. https://healthitsecurity.com/news/uw-medicine-hit-with-lawsuit-for-breach-impacting-974k-patients
  11. https://www.infosecurity-magazine.com/news/uw-medicine-facing-breach-lawsuit/
  12. https://www.myinjuryattorney.com/uw-medicine-data-breach-class-action-investigation-and-lawsuit-assistance/
  13. https://www.fredhutch.org/en/about/about-the-hutch/accountability-impact/notice-to-our-patients-of-data-security-incident.html
  14. https://www.fiercehealthcare.com/tech/uw-medicine-reports-data-error-exposed-1m-patients-data
  15. https://d3security.com/blog/data-breach-of-the-month-uw-medicine/
  16. https://www.kiro7.com/news/local/seattle-cancer-patients-face-blackmail-threats-after-recent-fred-hutch-data-breach/BCLXFK66DRAEDMRPMVBCUVOUDI/
  17. https://www.king5.com/article/news/local/fred-hutch-warn-patients-threatening-emails-cyberattack/281-40365cfa-61c9-4395-91ad-2c819695d4c0
  18. https://www.washington.edu/healthcare-privacy/healthcare-components-group-hccg/reporting-a-breach-compliance-concern/
Breach Submission Date Sep 21, 2022
Converted Entity Name UW Medicine
Converted Entity Type Healthcare Provider
State WA
Individuals Affected 3,804
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes