Incident Of The Week: UW Medicine Patient Data Exposed Online
Website server vulnerability left almost 1 million patients’ data out on the internet
UW Medicine is sending letters to 974,000 patients about a data breach that exposed some of their information on the internet. “UW Medicine became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018,” spokeswoman Susan Gregg said in a statement. “The files contained protected health information (PHI) about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies in compliance with Washington state reporting requirements.”
The files that were reported as going public did not contain any medical records, patient financial information or Social Security numbers; however they did include protected health information and reporting that UW Medicine is legally required to track.
The files contained:
- Medical record number
- With whom UW Medicine shared your information.
- A description of what information about you was shared (For example, “demographics”, “office visits” or “labs”).
- The reason for the disclosure, such as mandatory reporting or screening to see if you qualified for a research study.
How The Breach Was Discovered
Megan Flory told KIRO 7 she accessed some of the UW Medicine files through a Google search last month after a friend discovered the exposed personal information when looking up a person’s name she’d met.
“Upset about something she'd stumbled across online,” said Flory. “It clearly said it was UW Medicine.”
Flory said there were as many as 120 names in the UW Medicine files she accessed through a Google search that also included the names of those patient’s lab tests but not the results.
“HIV was one of them?” asked KIRO 7 reporter Michael Spears. “That was what they all were, pretty much,” said Flory. "If you don't know what it means, it’s maybe easier to kind of assume it's the worst."
Flory said she then spoke with a woman at UW Medicine to report what she’d found online.
"Having things out on Google like that is scary,” said Flory. “You know it could be upsetting or devastating for somebody.”
As of now, the files have been removed from public view and UW officials say they have taken steps to remove information that was saved to third-party sites.
See Related: “How To Build A Third-Party Risk Management Program”
"At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident," the news release said.
Taking Immediate Action
UW is sending letters to the affected patients, and the data breach has been reported to the Office for Civil Rights. The university has also hired a vendor, ID Experts, to manage a call center and website.
"We sincerely regret that this incident occurred and apologize for any distress this may cause our patients and their families. UW Medicine is committed to providing quality care while protecting patients’ personal information. We are reviewing our internal protocols and procedures to prevent this from happening again," UW Medicine said in the statement.
See Related: "Recapping 2018 in Data Security and Privacy"
King County Councilmember Reagan Dunn is introducing legislation Wednesday afternoon calling on the County Executive to create a commission to investigate UW Medicine’s potential breach of public health records.
“This is a breach of data, but it’s also a massive breach of the public’s trust,” Dunn said in a statement. ”That’s why I am immediately introducing legislation requesting the County Executive to form a commission to investigate what went wrong, why it happened, and how to ensure this never happens again. The public deserves so much better.”
Advice For Better Enterprise Data Security
Create a culture of privacy in your organization. Educate employees on the importance and impact of protecting consumer and employee information as well as the role they play in keeping it safe.
Top three tips to build trust:
- If you collect it, protect it. Follow reasonable security measures to keep individuals' personal information safe from inappropriate and unauthorized access.
- Be open and honest about how you collect, use and share consumers' personal information. Think about how the consumer may expect their data to be used, and design settings to protect their information by default.
- Build trust by doing what you say you will do. Communicate clearly and concisely to the public what privacy means to your organization and the steps you take to achieve and maintain privacy.