UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach

Several lawsuits filed against healthcare organizations over data breaches in recent weeks, with University of Washington Medicine the latest to face legal action for exposing the protected health information of patients.

The lawsuit has been filed over a December 2018 data breach that saw the personal information of 974,000 patients exposed over the internet as a result of a misconfigured server. The misconfigured server contained an accounting of disclosures database that included patient names, medical record numbers, a list of parties who had been provided with patient data, and the reason why that information was disclosed. Some individuals also had information exposed relating to a research study they were enrolled in, their health condition, and the name of a lab test that had been performed. For certain patients, sensitive information was exposed. According to the lawsuit, that included a patient’s HIV test-taking history and, in some cases, the patient’s HIV status. Social Security numbers, financial information, health insurance information, and medical records were not exposed.

The server misconfiguration occurred on December 4, 2018. UW Medicine was alerted to the breach when a patient discovered a file containing their records that had been indexed by Google. UW Medicine found and corrected the misconfiguration on December 26, 2018.

UW Medicine explained in a press release issued on February 20, 2019 that the database was accessible for a period of three weeks and UW Medicine worked closely with Google to have all indexed information removed from Google’s servers. That process was completed by January 10, 2019.

The lawsuit, filed in King County Superior Court, alleges UW Medicine was negligent and failed to properly safeguard the protected health information of its patients and did not inform patients promptly that their PHI had been exposed. The lawsuit alleges patients have suffered “real, significant, and continuing injury,” have suffered distress and loss of reputation as a result of the breach, and have been placed at an increased risk of identity theft, fraud, and abuse.

The lawsuit also references an earlier UW Medicine data breach as further evidence of inadequate information security practices: A 2013 malware infection that occurred as a result of an employee opening an infected email attachment. That incident impacted 90,000 patients.

The investigation of the breach by the HHS’ Office for Civil Rights found UW Medicine had violated the HIPAA Security Rule by failing to implement adequate policies and procedures to prevent, detect, contain, and correct security violations. In 2015, UW Medicine settled the case with OCR for $750,000 and agreed to adopt a corrective action plan that included conducting “a comprehensive risk analysis of security risks and vulnerabilities and develop an organization-wide risk management plan.”

“[UW Medicine’s] substandard security practices have now compromised nearly one million patients’ PHI, greatly exceeding the scope of the 2013 breach, in violation of its statutory and professional standard of care obligations, in breach of Plaintiffs and the Class’ reasonable expectations when they decided to form a patient physician relationship with UW Medicine, and thereby diminishing the value of the services UW Medicine provided and that its patients paid for,” argue the plaintiffs in the lawsuit.

The lawsuit seeks full disclosure about the information that was compromised, statutory damages and legal fees, and calls for UW Medicine to adopt sufficient secure practices and safeguards to prevent further data breaches in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.