Data error exposes patient information
UW Medicine has removed patients' information from the website on which the vulnerability occurred.
On Dec. 26, 2018, UW Medicine became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018. The files contained protected health information (PHI) about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies, in compliance with Washington state reporting requirements.
When we learned of the exposure of the files to the internet, we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident.
The files contained patients’ names, medical record numbers, and a description and purpose of the information. The files did not contain any medical records, patient financial information or Social Security numbers.
Based on the results of our internal investigation, we are in the process of distributing letters to approximately 974,000 affected patients and have reported this incident to the Office for Civil Rights. Additionally, a trusted vendor, ID Experts, will manage a call center and website (https://ide.myidcare.com/uwmedicine) on behalf of UW Medicine beginning February 20. The call center hours are 5 a.m. to 5 p.m., Pacific Standard Time, Monday-Friday. The toll-free number is 844.322.8234.
We regret that this incident occurred and sincerely apologize for any distress this may cause our patients and their families. UW Medicine is committed to providing quality care while protecting patients’ personal information. We are reviewing our internal protocols and procedures to prevent this from happening again.
Data Exposure: Questions and Answers
UW Medicine became aware of an error in a database configuration that made certain protected internal files temporarily available on the internet and visible by search. UW Medicine wanted to make you aware of the incident out of an abundance of caution.
When did this happen?
December 4, 2018
How was this incident discovered?
UW Medicine became aware of this incident on December 26, 2018, when a patient was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine.
What personal information was exposed?
Electronic files that UW Medicine used to document when it shared patient information in certain limited circumstances. as required by law. The files contained:
- Medical record number
- With whom UW Medicine shared your information
- A description of what information about you was shared (For example, “demographics”, “office visits” or “labs”)
- The reason for the disclosure, such as mandatory reporting or screening to see if you qualified for a research study
How many people are involved?
Approximately 974,000 individual patients.
Did the files contain specific information about my healthcare?
In general, the files described what parts of your medical record were shared, not your actual health information.
In some instances, the files included the name of a lab test that was performed (but not the result) or the name of the research study that included the name of a health condition.
Can you tell me more about the database?
The database is used to keep track of the times UW Medicine shares patient health information that meets certain legal criteria. UW Medicine is required to track this information by the HIPAA law, which is overseen by the Office for Civil Rights.
The most common reasons involve situations where UW Medicine is required by Washington state law to share patient information with public health authorities, law enforcement and Child Protective Services.
Another common example is when a researcher receives approval to access medical records to determine whether a patient may be eligible for a research study or to recruit participants. The researcher must document in the database when they access the medical record.
I didn't give UW Medicine permission to share my information. How is this allowed?
UW Medicine informs patients about how they share medical records in their Notice of Privacy Practices. UW Medicine only shares patient information when the law permits it.
How can I have my information removed from the database?
UW Medicine understands your concern. Due to state and federal regulations, these records must remain on file.
Why didn't you tell affected individuals about the loss of the data sooner?
We had to conduct a thorough analysis to confirm all patients who could be impacted and ensure all potential data is secured.
How long were the files accessible online before they were taken down?
The files became accessible on December 4, 2018 due to an internal human error. UW Medicine fixed the error immediately upon discovery on December 26, 2018. Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results. All saved files were completely removed from Google’s servers by January 10, 2019.
What is UW Medicine doing to prevent this from happening again?
UW Medicine is reviewing their protocols and procedures to prevent this from happening again. They are committed to protecting patients’ personal health information and sincerely regret that this incident occurred and apologize for any distress this may cause patients and their families. As part of the regulatory requirements, they have also reported this incident to the Office for Civil Rights and made a press announcement. UW Medicine is committed to providing quality care while protecting patients’ personal information.
Has the information been misused?
At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident.
I did not receive a letter stating that my information was compromised. Do I need to be worried?
The review of the data was extensive and all of the affected individuals are being notified by mailed letters. If you do not receive a letter, please be assured that your healthcare information was not compromised in this incident.
What are the risks of identity theft with the information that was exposed?
We believe the risk of identity theft to you is negligible since no financial information or Social Security numbers were exposed. Even though the files contained your name and medical record number, the medical record number generally is only used for internal purposes, not for communicating with patients.
I did receive a letter. What action do I need to take?
There is no further action that patients need to take. However, if you still have questions, you can call toll-free 844.322.8234 and one of our representatives will assist you. The call center hours are 5 a.m. to 5 p.m. Pacific Standard Time, Monday-Friday.
Downloadable media resources: