PHI of Almost 1 Million UW Medicine Patients Exposed Online

Approximately 974,000 patients of UW Medicine have had their protected health information exposed online due to the accidental removal of protections on a website server. The error resulted in sensitive internal files being indexed by search engines. Internet searches allowed sensitive patient information to be accessed by unauthorized individuals without any need for authentication.

Seattle-based UW Medicine discovered a vulnerability on a website server on December 26, 2018, following a tip-off from a patient who was performing a Google search of their own name.

An investigation was launched to determine how information was exposed, for how long, and how many patients had potentially been affected. UW Medicine determined that an error had been made in the configuration of a database which resulted in internal files being temporarily available over the Internet. The server misconfiguration occurred on December 4, 2019. The incident was attributed to human error. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures.

The error was immediately fixed on December 26 and UW Medicine contacted Google to remove all cached copies of the files from its listings. UW Medicine reports that all cached copies of its files were removed by January 10, 2019.

An analysis of the files revealed they contained patients’ names, medical record numbers, information about with whom UW Medicine had shared patient information, a summary of the reason for the disclosure, and a brief description of the types of information that were shared (demographics, labs, office visits etc.). In some cases, the name of a health condition was mentioned in relation to a research study and the name of a lab test was included. In the case of the latter, the information may have indicated what the patient was being tested for (E.g. HIV, dementia), but not the result of the test.

No financial information, insurance information, Social Security numbers, detailed health information, or other highly sensitive data could be accessed by unauthorized individuals as a result of the database misconfiguration.

The most common reasons for disclosures mentioned in database were information shared with Child Protective Services, law enforcement, public health authorities, and when researchers required access to a patient’s medical records to check if the patient was eligible to take part in a research study.

It has taken some time for UW Medicine to ensure that all information has been secured and to identify the patients impacted by the breach. The incident has now been reported to the HHS’ Office for Civil Rights and all patients are now being sent breach notification letters. The breach report on the OCR website indicates that up to 973,024 patients have been impacted. Due to the nature of data exposed, the risk of identity theft and fraud is believed to be negligible.

The error has proven costly for UW Medicine. According to Dr. Timothy Dellit, chief medical officer at UW Medicine, the mailing of breach notification letters has cost UW Medicine around $1 million, not including the cost of the investigation and identifying patients impacted by the breach.

The breach has prompted a review of policies and procedures, which have now been updated to prevent similar incidents from occurring in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.