Info for nearly 1M patients exposed on UW Medicine web server

By | February 23, 2019

A vulnerability on a website server at UW Medicine in Washington has resulted in a large data breach, affecting the records of nearly 1 million patients.

A forensic investigation at the organization said information was exposed to the public through the vulnerability, although the most sensitive protected health information, including Social Security numbers, were not exposed.

The investigation estimates that the records of 974,000 patients were affected.

On December 26, the organization learned of a vulnerability on a web server that exposed internal files that were visible via a search on the Internet. UW Medicine reported that a patient did a Google search for his name on December 4 and found files containing his information, which then was reported to UW Medicine.

Also See: The 15 largest health data breaches of 2018

Information exposed included patients’ names; medical record numbers; with whom UW Medicine shared information and the reasons why, such as office visits or lab results; and the reason for disclosure, such as mandatory reporting or screening to assess if an individual was qualified for participation in a research study.

“In general, the files described what parts of your medical record were shared, not your actual health information,” the organization told affected patients. “In some instances, the files included a lab test that was performed, but not the result, or the name of the research study that included the name of a health condition.”

Google, as a search engine, had saved some of the files before December 26, and it worked with UW Medicine to remove the saved versions to prevent them from reappearing in search results. All saved files were removed by January 10.

To date, UW Medicine has no evidence of misuse or attempted misuse of the data. The organization told patients that it believes the risk of identity theft is negligible, because no financial or Social Security information was exposed. “Even though the files contained your name and medical record number, the medical record number generally is only used for internal purposes, not for communicating with patients,” UW Medicine noted.

Notification letters continue to be mailed out to patients, and ID Experts was contracted to manage a call center and website.

Joseph Goedert

Joseph Goedert

Goedert is senior editor of Health Data Management, a SourceMedia publication.

More from this Author

Health Data Management: Feed