UW Medicine Erroneously Exposed Information on Nearly 1 Million Patients
The University of Washington Medicine said on Monday that the medical files of about 1 million patients were visible on the internet for at least three weeks in December.
As per the University, the files were exposed on December 4 because of “an internal human error.” The exposed files were the records the hospital system uses to document when it shares patient information, for instance with public-health authorities or law enforcement.
The exposed files contain patients’ names, medical record numbers, a description of the information shared and a description of who it was shared with, UW Medicine said in a news statement. However, it said the files do not include specific health information, social security numbers or financial information.
Dr. Timothy Dellit, chief medical officer at UW Medicine, at a news conference said some files contain the name of a lab test or the name of a research study. In those cases, the files may have noted specific conditions patients were tested or screened for, such as HIV or dementia.
Though the files don’t disclose lab results or whether a patient qualified for a research study, people could make indirect inferences from the information.
UW will be sending letters to approximately 974,000 patients in all 50 states whose data was exposed. As per Dellit, the cost for mailing could be around $1 million. He also said that he did not have a cost estimate for the full response to the breach.
Dellit added that it took around two months to notify patients because UW Medicine was working to understand what had happened, identify all potentially-affected patients and set up support for them, including a website and call center.
It should be noted here that UW Medicine includes the University’s medical school as well as Harborview Medical Center, the UW Medical Center, Northwest Hospital and Medical Center, Valley Medical Center and more than two-dozen neighborhood clinics scattered around the Puget Sound region.
The hospital discovered the error on December 26, after a patient searched online for their own name in Google and came across the file. UW Medicine said it immediately removed the files, but it had to work with Google to do away with saved versions and prevent them from appearing in search results.
UW medicine said all saved files were removed by Jan. 10.
“We have no evidence of misuse of this information, and we only have one patient who has been confirmed to have actually seen this information,” Dellit said. “At this time we believe the actual risk of that information being viewed is very low.”
Dellit said the exposure happened when the data was being moved from one server to another. UW Medicine is yet to determine whether the breach was the fault of specific employees or a failure in the system.
UW Medicine has contracted with cybersecurity consultant Crypsis Group to examine its processes and verify that no other information is available online, he said.
King County Councilmember Reagan Dunn said he would soon introduce legislation to set up a commission to investigate the data breach and UW Medicine’s response, including the time it took to alert patients.
“This is a breach of data, but it’s also a massive breach of the public’s trust,” Dunn said in a written statement.
The legislation is said to be introduced on Wednesday, and it would request the county executive to convene the commission. Dunn said he did not know if Attorney General Bob Ferguson, who has previously investigated data breaches at private companies, would be involved.
“In this era of big data, I think it’s important that there’s a higher level of accountability for organizations that have access to our most private data,” Dunn said.
Dellit also said that he was unaware of the potential investigation by the county but that UW Medicine hopes to work with the County Council going forward.
He also said that UW Medicine had reported the breach to the U.S. Department of Health and Human Service’s Office for Civil Rights, which may conduct its own investigation.
After a cyber attack in 2013, the federal agency investigated UW Medicine. The cyber-attack led to a breach of data, including some patients’ contact information, social security numbers, and insurance information. The investigation cost UW Medicine a settlement deal worth of $750000 and a corrective action plan.