- The University of Washington Medicine is notifying about 974,000 individuals that some of their patient data was left exposed on the internet for three weeks due to a misconfigured server.
The breach was discovered on December 26, when a patient conducted a Google search of their name and found a file containing their data. The patient notified UW Medicine. An investigation determined that the files became accessible about three weeks earlier on December 4 due to an employee error.
Upon discovery, officials said they took steps to remove the exposed data from the site and removed saved information from all third-party sites.
“Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results,” officials said in a statement. “All saved files were completely removed from Google’s servers by Jan. 10, 2019.”
The exposed data included patient names, medical record numbers, the party who received the data, and a description and purpose of the information. For some, the files included the name of the lab test, but not the results, or the research study with the name of the health condition. No medical records, financial data, or Social Security numbers were breached.
The database was used to keep track of when UW Medicine shared patient health information, which is require by HIPAA. According to officials, as required by state law, data sharing most commonly occurs with public health authorities, law enforcement and Child Protective Services.
The provider also commonly shares the data “when a researcher receives approval to access medical records to determine whether a patient may be eligible for a research study or to recruit participants. The researcher must document in the database when they access the medical record.”
The thorough breach notification also answered common questions as to why this data was kept and whether patients could remove their data from the server.
“UW Medicine informs patients about how they share medical records in their Notice of Privacy Practices …. [and] only shares patient information when the law permits it,” officials said in a statement. “UW Medicine understands your concern. Due to state and federal regulations, these records must remain on file.”
To prevent a similar breach in the future, officials said they’re reviewing protocols and procedures. The breach has been reported to the Office for Civil Rights.
This is UW Medicine’s second breach in six years. In October 2013, the Social Security numbers and medical data of 90,000 patients were compromised when an employee opened an attachment containing malware. The virus took over the computer, which stored patient data.
In 2015, the Washington provider settled with the Department of Health and Human Services for $750,000 over the breach. The HHS findings determined the provider lacked an effective risk assessment that would sufficiently address patient data risks and vulnerabilities.