The University of Washington School of Medicine (UW Medicine) has announced that an IT error has resulted in the exposure of 974,000 patient data files online.
A patient alerted UW Medicine of the breach on December 26, 2018, after discovering that their medical information could be accessed if they performed an internet search of their own name.
UW Medicine launched an investigation into the cause of the breach. The investigators determined that the information had accidentally been made publicly available following removal of protections on a website server during database configuration.
The error resulted in search engines indexing sensitive internal files such that they could be accessed over the Internet without the further need for authentication.
The investigators determined that the misconfiguration occurred on December 4, 2019, and employee error caused the breach, and no third-party threat actors were involved. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures.
UW Medicine fixed the error and secured the database as soon as it was informed of the breach on December 26. UW Medicine requested Google to remove all cached copies of the files from its listings. UW Medicine reports that Google removed all cached copies of its files by January 10, 2019.
The files available online contained patients’ names, medical record numbers, information about with whom UW Medicine had shared patient information, a summary of the reason for the disclosure, and a brief description of the types of information that were shared (demographics, labs, office visits).
Some files included the name of a health condition concerning a research study, and the name of a lab test was included. Some files included what medical test was performed on the patient, (such as a test for HIV), but the result of the test was not available.
The files did not contain financial information, insurance information, Social Security numbers, detailed health information, or other highly sensitive data.
The most common reasons for disclosures mentioned in the database were information shared with Child Protective Services, law enforcement, public health authorities, and when researchers required access to a patient’s medical records to check if the patient was eligible to take part in a research study.
UW Medicine has taken steps to ensure that the information exposed by the breach has been secured. The medical facility has reported the breach to HHS’ Office for Civil Rights. Following HIPAA’s Breach Notification Rule, UW Medicine is sending patients breach notification letters. According to Dr Timothy Dellit, chief medical officer at UW Medicine, the mailing of breach notification letters has cost UW Medicine around $1 million. The full cost of the breach to UW Medicine has yet to be determined.
We have no evidence of misuse of this information, and we only have one patient who has been confirmed to have actually seen this information,” Dellit said. “At this time we believe the actual risk of that information being viewed is very low.”