The personal health information of nearly 1 million University of Washington (UW) Medicine patients was available online for much of December following a database configuration error, the hospital system announced in a press release.
UW Medicine said the files of about 974,000 patients were available online from December 4 through to December 26, when the misconfiguration was discovered somewhat fortuitously. The organization said a patient was conducting a Google search for their own name and found a file containing their information and reported to UW Medicine.
“When we learned of the exposure of the files to the internet, we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident,” UW Medicine said.
The files contained patients’ names, medical record numbers, and a description and purpose of the information. UW Medicine was quick to point out that the files did not contain any medical records, patient financial information or Social Security numbers.
The hospital system, which only announced the breach almost two months after it was detected, said it could not go public about the error earlier because it first had “to conduct a thorough analysis to confirm all patients, who could be impacted and ensure all potential data is secured.”
UW Medicine said it has since started dispatching letters to the patients who were affected by the breach to explain what happened and to apologize. UW Medicine said it had worked with Google to remove the saved versions and prevent them from showing up in search results.
It added that all saved files were completely removed from Google’s servers by January 10, 2019. UW Medicine said it was committed “to providing quality care while protecting patients’ personal information. We are reviewing our internal protocols and procedures to prevent this from happening again.”
UW Medicine uses the database in question as a way to keep track of the times it shares patient health information as legally required by the Health Insurance Portability and Accountability Act (HIPAA), which is overseen by the Office for Civil Rights.
The hospital system explained that the “most common reasons involve situations where UW Medicine is required by Washington state law to share patient information with public health authorities, law enforcement and Child Protective Services. Another common example is when a researcher receives approval to access medical records to determine whether a patient may be eligible for a research study or to recruit participants. The researcher must document in the database when they access the medical record.
UW Medicine consists of the university’s medical school, the Harborview Medical Center, the UW Medical Center, Northwest Hospital and Medical Center, Valley Medical Center and more than two-dozen neighborhood clinics around the Puget Sound region. However, Valley Medical Center maintains its data separately from UW Medicine.
King County Councilmember Reagan Dunn was plotting legislation that would institute a commission to investigate the data breach. “This is a breach of data, but it’s also a massive breach of the public’s trust,” The News Tribune quoted him saying.
Dunn added that: “In this era of big data, I think it’s important that there’s a higher level of accountability for organizations that have access to our most private data.”
The Office for Civil Rights investigated UW Medicine after a cyber attack in 2013 led to a breach of data, including some patients’ contact information, social security numbers and insurance information. In that case, UW Medicine agreed to a $750,000 settlement with the agency and a corrective action plan, Seattle Times reported.
Data protection is a big headache for the health sector, with consensus being that there is more that can be done. Last year, the U.S. Department of Health and Human Services estimated that there there have been more than 100 hacking or IT-related healthcare organization incidents affecting 500 or more individuals in the U.S. that year.
In one such incident, the personal information of almost 20,000 children was accidentally disclosed in a healthcare data breach at WellCare Health, a contractor administering Missouri Medicaid plans.