University of Washington Medicine Mistakenly Exposes Data
Medical files, containing personal data of patients of University of Washington Medicine, were mistakenly exposed following a data error.
UW Medicine, in a press release dated February 20, 2019, has revealed the detection of “…an error in a database configuration that made certain protected internal files temporarily available on the internet and visible by search.”
It was on December 26, 2018 that UW Medicine detected the vulnerability that led to files becoming accessible on December 4, 2018. The error was fixed immediately.
The UW Medicine press release states, “On Dec. 26, 2018, UW Medicine became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018. The files contained protected health information (PHI) about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies, in compliance with Washington state reporting requirements.”
The files that were exposed contained patients’ personal data- names, medical record numbers, details about the sharing of patients’ information etc. UW Medicine has clarified that the exposed files didn’t contain medical records, financial data or Social Security numbers of patients. In some instances, the exposed files also included the name of a lab test that was performed on a patient or the name of a research study that would include the name of a health condition; however, the result of the lab test wouldn’t be exposed. It has also been clarified that immediate steps were taken to remove the information from the website; steps were also initiated to get the saved information from any third-party sites too. All saved files were removed by January 10, 2019.
The Q&A part of the UW Medicine press release clarifies, “The files became accessible on December 4, 2018 due to an internal human error. UW Medicine fixed the error immediately upon discovery on December 26, 2018. Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results. All saved files were completely removed from Google’s servers by January 10, 2019.”
There is reportedly no evidence of any misuse of the information that was exposed due to the incident.
The vulnerability and related data expose came to the notice of UW Medicine accidentally when a patient conducting a Google search by name found a file containing such information and reported it to UW Medicine. The incident is likely to involve approximately 974,000 individual patients.
After conducting an internal investigation, UW Medicine has initiated a process of distributing letters to the affected patients; the incident has also been reported to the Office for Civil Rights. UW Medicine has also arranged with a trusted vendor to manage a call center and website (https://ide.myidcare.com/uwmedicine) to cater to the affected patients.
UW Medicine, which includes the University’s medical school, the Harborview Medical Center, the UW Medical Center, Northwest Hospital and Medical Center, Valley Medical Center plus two-dozen neighborhood clinics in the Puget Sound region, had earlier been targeted by a cyberattack in 2013, which led to the breach of patients’ contact data, insurance data and social security numbers.