UW Medicine error exposes nearly 1 million patient records

Submitted by UW Medicine

On Dec. 26, 2018, UW Medicine became aware of a vulnerability on a website server that made protected internal files available and visible by a search on the internet on Dec. 4, 2018. The files contained protected health information about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies in compliance with Washington state reporting requirements. When we learned of the exposure of the files to the internet, we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident.

The files contained patients’ names, medical record numbers, and a description and purpose of the information. The files did not contain any medical records, patient financial information or any Social Security numbers.

Based on the results of our internal investigation, we are in the process of distributing letters to approximately 974,000 affected patients and have reported this incident to the Office for Civil Rights. Additionally, a trusted vendor, ID Experts, will be managing a call center and website (https://ide.myidcare.com/uwmedicine) on behalf of UW Medicine beginning Feb. 20. The call center hours are 5 a.m. to 5 p.m., Pacific Standard Time, Monday-Friday. The toll-free number is 844-322-8234.

We sincerely regret that this incident occurred and apologize for any distress this may cause our patients and their families. UW Medicine is committed to providing quality care while protecting patients’ personal information. We are reviewing our internal protocols and procedures to prevent this from happening again.

Data Exposure: Questions and Answers

What happened?

UW Medicine became aware of an error in a database configuration that made certain protected internal files temporarily available on the internet and visible by search. UW Medicine wanted to make you aware of the incident out of an abundance of caution.

When did this happen?

December 4, 2018

How was this incident discovered?

UW Medicine became aware of this incident on December 26, 2018, when a patient was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine.

What personal information was exposed?

Electronic files that UW Medicine used to document when it shared patient information in certain limited circumstances. as required by law. The files contained: