The accidental removal of protections on a UW Medicine website server resulted in the protected health information (PHI) of 974,000 patients being exposed on the internet. Files containing sensitive information were indexed by the search engines and could be found with a simple search. UW Medicine was alerted to the privacy breach by a patient on December 26, 2018, who had performed a Google search of their own name and came across a file containing PHI.
An investigation was launched which found that an error had been made when configuring a database on December 4, 2019. The database was used by UW medicine to keep track of individuals, companies, and organizations that had been given access to patients’ PHI as part of its HIPAA compliance efforts. Whenever a patient’s PHI was accessed, a summary was entered into the database.
UW Medicine immediately fixed the error and contacted Google to ensure the files were removed from its listings. It took some time for all cached copies of the files to be removed. UW Medicine reports that all file cached copies were removed from Google by January 10, 2019.
A review of the files showed they included patients’ names, medical record numbers, details concerning with whom UW Medicine shared the patient’s data, a summary of the reason for disclosing the information, and a short description of the information that had been shared (demographics, laboratory tests, office appointments etc.). In some instances, a health condition was stated in relation to a research study or a medical test. In the latter case, the details may have mentioned the test name (HIV test for example) but not the result of the test.
The most common entities with whom PHI was shared, as detailed in the database, were Child Protective Services, public health authorities, law enforcement, and with researchers who were checking to find out if patient’s were eligible to participate in research projects.
The HHS’ Office for Civil Rights has been notified about the breach and all patients have now been sent breach notification letters. UW Medicine cannot say how many individuals accessed the exposed files, but it is believed that there is a negligible risk of identity theft and fraud due to the nature of the exposed data. Policies and procedures have now been updated to prevent similar breaches from occurring in the future.
The accidental error cost UW Medicine $1 million in breach notification costs alone.