UW Medicine Exposes 1m Patients’ PHI by Removing Security

Around 974,000 patients of UW Medicine have had their PHI exposed online due to the accidental disabling of protections on a website server. The error led to sensitive internal files being indexed by search engines. Sensitive patient information was accessible using Internet searches without any need for authentication.

The Seattle-based group noticed a vulnerability on a website server on December 26, 2018, following being contacted by a patient who was carrying out a Google search of their own name.

An internal review was kicked off to determine how information was exposed, for how long, and how many patients had possibly been impacted. UW Medicine discovered that an error had been made in the set up of a database which lead to internal files being temporarily accessible over the Internet. The server misconfiguration took place on December 4, 2019. Human error was blamed for the incident. Ironically, the exposed database was used by UW Medicine to record patient health information disclosures.

The error was immediately remedied on December 26 and UW Medicine contacted Google to delete all cached copies of the files from its listings. UW Medicine reports that all cached copies of its files were deleted by January 10, 2019.

An review of the files showed they included patients’ names, medical record numbers, information about with whom UW Medicine had shared patient information, a summary of the reason for the disclosure, and a brief description of the sort of information that were shared (demographics, labs, office visits etc.). In some instances, the name of a health condition was mentioned in relation to a research study and the name of a lab test was included. The information may have shown what the patient was being tested for (E.g. HIV, dementia), but not the outcome of the test.

The most common disclosures referred to mentioned were data shared with Child Protective Services, law enforcement, public health authorities, and when researchers needed access to a patient’s medical records to check if the patient was eligible to participate a research study.

It has taken a considerable amount of time for UW Medicine to ensure that all information has been completely safeguarded and to identify the patients affected by the breach. The incident has now been made known to the HHS’ Office for Civil Rights and all patients are now being issued breach notification letters. UW Medicine cannot confirm how many people obtained the files during the time they were available, but due to the nature of data exposed, the danger of identity theft and fraud is believed to be minimal.

The mistake has proven costly for UW Medicine. According to Dr. Timothy Dellit, chief medical officer at UW Medicine, the mailing of breach notification letters has cost UW Medicine around $1 million, not taking into account the cost of the investigation and identifying patients affected by the breach.

The breach has led to a review of policies and procedures, which have now been refreshed to stop similar incidents from happening in the future.

Author: Maria Perez