University of Washington Medicine Notifies 90K Patients of Potential HIPAA Breach

An October security breach potentially exposed personal information and Social Security numbers of 90,000 patients of the University of Washington Medicine (UW Medicine) according to a recent breach announcement issued by the healthcare provider.

The breach was caused when a malware infection took control of an employee’s computer after an infected E-mail attachment was opened. While the incident is not believed to be a targeted attack, the malware potentially could have accessed Protected Health Data and personal identifiers stored on the computer and given hackers access to that data.

Affected individuals had previously received medical services at UW Medicine’s Harbourview Medical Center and/or its Washington Medical Center. The data compromised includes patient names, addresses and phone numbers as well as dates of birth and social security numbers. Clinical data was also stored on the computer and details of treatments received could also potentially have been accessed.

The breach was identified promptly and the malware was only active for a day, and given the fact that this was not believed to be a targeted attack, the risk to patients is considered to be low. Breach notification letters were sent to all affected individuals at the end of November, and any patient who has received the letter is advised to obtain and check credit reports to monitor them for any sign of fraudulent activity.

UW Medicine has now made the affected computer secure and notified the FBI and the Office for Civil Rights of the data breach. Patients were informed that they may be contacted by the FBI as part of its investigation.

Both King 5 News and Komo News reported that some patients have voiced concerns about the delay in issuing the breach notification letters, which were dispatched the day before Thanksgiving. The breach is reported to have occurred on October 2, and was discovered on Oct 3, yet it took over a month for patients to be contacted.

Tina Mankowski, a Spokeswoman for UW Medicine, explained the delay was caused because its investigation into the breach took some time to conduct and it was not immediately apparent which patients had been affected and was potentially at risk of suffering identity fraud.

Even with robust security systems, malware can all too easily be installed unwittingly by employees, so it is essential that regular checks take place to monitor for infections. With proper staff training the risk of malware infections can be greatly reduced. Staff should be informed not to open any e-mail attachments from unknown individuals and should consult their I.T departments if in any doubt.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.