The University of Washington Medicine is notifying approximately 974,000 patients of a data breach that occurred in December, which left some of the patients’ information exposed on the Internet.
The breach occurred over a 3-week period and was determined to be the result of a misconfigured server. The database was used to track the sharing of data, specifically when UW Medicine shared patient health information, a legal requirement.
The breach was discovered on December 26, when a patient conducted a Google search on themselves and was surprised to find a file containing their data from UW Medicine. After the patient notified the hospital of their findings, an investigation was launched, leading to the discovery that the data had been exposed online since December 4, due to an employee error.
The exposed data included patient names, medical record numbers, descriptions/purpose of the data, who received the data, and in some cases, lab test names (no results), research study names (with a health condition). Hospital staff states that no medical records, financial information, or Social Security numbers were exposed.
According to a spokeswoman for the hospital, Susan Gregg, after the discovery of the exposed information, “we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident.”
UW Medicine has also pointed out that they have worked with Google to remove the saved information from appearing in search results.
The breach has been reported to the Office for Civil Rights (OCR) as required by HIPAA.
Hospital officials stated they are reviewing their protocol and procedures to prevent a similar breach from occurring again in the future.