UW Medicine
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
In December 2018, UW Medicine experienced a significant data breach that exposed the personal information of approximately 974,000 patients. This incident was due to a vulnerability on a website server that made protected internal files accessible and visible by search on the internet from December 4, 2018. The files did not contain medical records, patient financial information, or Social Security numbers but included protected health information (PHI) that UW Medicine is legally required to track, such as names, medical record numbers, and details about the information shared, like office visits or labs, and the reason for the disclosure[1][7][14].
The breach was discovered on December 26, 2018, when a patient conducting a Google search for their own name found a file containing their information. UW Medicine immediately took steps to fix the error and worked with Google to remove the saved versions of the files from its servers by January 10, 2019. There was no evidence of misuse or attempted use of the information exposed in this incident[1][7][14].
In response to the breach, UW Medicine committed to reviewing its internal protocols and procedures to prevent such incidents from happening again. They reported the incident to the Office for Civil Rights and made a press announcement. Affected individuals were notified by mailed letters, and a call center and website were established to address patient concerns[1][7].
This breach was not the first time UW Medicine faced scrutiny for information security issues. In 2013, they reported a breach of about 90,000 patient records due to a malware infection, leading to a $750,000 settlement with the Department of Health and Human Services in 2015 for failing to adequately protect patient data[10][11][15].
The 2018 breach highlighted the importance of rigorous data security measures and the need for continuous improvement in protecting patient information against potential vulnerabilities and exposures.
Citations:
- https://newsroom.uw.edu/news-releases/data-error-exposes-patient-information
- https://privacy.uw.edu/take-action/report/
- https://www.healthcareitnews.com/news/fred-hutch-cancer-center-clinical-network-breached
- https://depts.washington.edu/comply/docs/comp_105.pdf
- https://komonews.com/news/local/seattle-data-breach-lawsuit-fred-hutchinson-hutch-cancer-center-uw-medicine-medical-center-harborview-hospital-valley-university-washington-physicians-neighborhood-clinics-primary-care-airlift-northwest-childrens-group-records-private-info
- https://www.washington.edu/healthcare-privacy/resources/breach-documentation-and-notification-process/
- https://www.fox13seattle.com/news/almost-1-million-uw-medicine-patients-information-exposed-in-data-breach
- https://www.washington.edu/healthcare-privacy/
- https://www.jdsupra.com/legalnews/uw-medicine-notifies-patients-of-fred-4171302/
- https://healthitsecurity.com/news/uw-medicine-hit-with-lawsuit-for-breach-impacting-974k-patients
- https://www.infosecurity-magazine.com/news/uw-medicine-facing-breach-lawsuit/
- https://www.myinjuryattorney.com/uw-medicine-data-breach-class-action-investigation-and-lawsuit-assistance/
- https://www.fredhutch.org/en/about/about-the-hutch/accountability-impact/notice-to-our-patients-of-data-security-incident.html
- https://www.fiercehealthcare.com/tech/uw-medicine-reports-data-error-exposed-1m-patients-data
- https://d3security.com/blog/data-breach-of-the-month-uw-medicine/
- https://www.kiro7.com/news/local/seattle-cancer-patients-face-blackmail-threats-after-recent-fred-hutch-data-breach/BCLXFK66DRAEDMRPMVBCUVOUDI/
- https://www.king5.com/article/news/local/fred-hutch-warn-patients-threatening-emails-cyberattack/281-40365cfa-61c9-4395-91ad-2c819695d4c0
- https://www.washington.edu/healthcare-privacy/healthcare-components-group-hccg/reporting-a-breach-compliance-concern/