The University of Washington is alerting nearly a million patients of a data breach that resulted in unauthorised individuals being able to access their protected health information (PHI) through search engines online.
The error was caused when an employee accidentally disabled the protections on the hospital’s website server. This resulted in the PHI of approximately 974,000 patients being indexed by search engines, and therefore accessible to anyone with an Internet connection using a search engine. Users were not required to use any login credentials to access the files.
A patient discovered the exposed data while completing a Google search of his own name, and noticing that is private medical information was returned in the search. He alerted UW Medicine of the breach on December 26, 2018.
The University of Washington is alerting nearly a million patients of a data breach that resulted in unauthorised individuals being able to access their protected health information (PHI) through search engines online.
The error was caused when an employee accidentally disabled the protections on the hospital’s website server. This error resulted in the PHI of approximately 974,000 patients being indexed by search engines, and therefore accessible to anyone with an Internet connection using a search engine. Users were not required to use any login credentials to access the files.
A patient discovered the exposed data while completing a Google search of his name, and noticing that is private medical information appeared in the search. He alerted UW Medicine of the breach on December 26, 2018.
UW Medicine immediately launched an internal review of the breach. The investigators wished to assess the scope of the breach, and determine how many patients were affected and what types of information unauthorised individuals may have been viewed online.
UW Medicine discovered that an error had been made in the set up of a database which leads to internal files being temporarily accessible over the Internet. The employee misconfigured the server on December 4, 2019. Ironically, UW Medicine used the exposed database to record patient health information disclosures.
UW Medicine took fixed the error as soon as they were made aware of it on December 26. UW Medicine contacted Google to request the search engine giant delete all cached copies of the files. UW Medicine reports that Google deleted all cached copies of its files by January 10, 2019.
The files included patients’ names, medical record numbers, information about with whom UW Medicine had shared patient information, a summary of the reason for the disclosure, and a brief description of the sort of information that was shared (such as demographics, labs, office visits ). Some files included the name of a health condition concerning a research study and the name of a lab test performed. The information may have shown what the patient was being tested for (such as HIV), but the files did not include the results of the test.
The most common disclosures mentioned in the files included data shared with Child Protective Services, law enforcement, public health authorities. The files included instances when researchers needed access to a patient’s medical records to check if the patient was eligible to participate in a research study.
Due to the magnitude of the breach, UW Medicine had difficulty ensuring that they have now placed protections on all patient information. It also took them a considerable amount of time to identify the patients affected by the breach.
Following HIPAA’s Breach Notification Rule, UW Medicine has reported the breach to HHS’ Office for Civil Rights and sent breach notification letters to all patients.
The investigators were not able to determine how many individuals gained access to the files during the time search engines indexed them. However, they have said that they have not seen evidence that any patient information has been misused. Furthermore, UW Medicine believes that, due to the nature of data exposed, the patients are at minimal risk of identity theft and data fraud.
Due to the vast number of individuals affected by the breach, dealing with the aftermath has proven costly for UW Medicine. According to Dr Timothy Dellit, chief medical officer at UW Medicine, the mailing of breach notification letters has cost UW Medicine around $1 million. UW Medicine has not publicly disclosed the cost of the investigation into the breach.
UW Medicine has stated that it is in the process of reviewing its security protocols to ensure that a breach of this nature does not occur in the future.