A database configuration error at UW Medicine led to an information breach that potentially exposed the protected health information (PHI) of 974,000 patients on the Internet.
On Dec. 26, UW Medicine officials became aware of a vulnerability on a website server that made protected internal files available and visible by search on the Internet earlier that month. The breach was specifically discovered after a patient searched online for their own name in Google and came across the protected file; officials are calling the blunder “an internal human error.”
The files contained PHI about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies, in compliance with Washington state reporting requirements, according to an announcement from the Seattle-based University of Washington School of Medicine.
Officials said that Google had saved some of the files before the day the incident was uncovered on Dec. 26. At that time, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results. All saved files were completely removed from Google’s servers by Jan. 10, the organization attested.
“When we learned of the exposure of the files to the internet, we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident,” officials said in a news release.
The files, however, did contain patients’ names, medical record numbers, and a description and purpose of the information. The files did not contain any medical records, patient financial information or Social Security numbers, officials noted.
What’s more, Timothy Dellit, M.D., chief medical officer at UW Medicine, said in a news conference, as covered by The Seattle Times, that “Some of the files contain the name of a lab test or the name of a research study. In those cases, the files may have noted specific conditions patients were tested or screened for, such as HIV or dementia.” While the files don’t disclose lab results or whether a patient qualified for a research study, Dellit said people could make indirect inferences from the information, according to the report.
“Based on the results of our internal investigation, we are in the process of distributing letters to approximately 974,000 affected patients and have reported this incident to the Office for Civil Rights,” the organization stated.
Dellit further said, per The Seattle Times, that the mailings will cost around $1 million, though he didn’t give a cost estimate for the full response to the breach.
According to another report, King County Council member Reagan Dunn has introduced legislation that would create a commission to investigate the breach. The investigation will look at the “cause and scope of the breach, why it took almost two months for UW Medicine to release a statement, the communication between UW Medicine and those affected and how they can prevent it in the future.”