The medical files of nearly 1 million patients at the University of Washington Medicine were exposed for three weeks on the internet in December 2018 due to a data breach. The files were exposed as a result of internal human error and contained hospital system records such as patient names, medical records, descriptions of information shared, and the reasons for disclosure.
A press statement signed by the University of Washington Medicine states that the exposed files do not include patients’ financial information, social security numbers, and specific medical records.
However, some of the files contain the research study name or the name of a lab test. In such cases, the file may have noted the specific condition the patient may have been screened for such as dementia or HIV said Dr Timothy Dellit, who is the chief medical officer at UW Medicine, at a news conference.
Although the file does not disclose the lab result and if a patient qualifies for a research study. Dellit, however, said people could make indirect conclusions from the information.
The Data Breach was discovered by a patient who Googled his name, uncovered his medical record on the search engine and reported these findings to the University of Washington Medicine
Already the university is in the process of sending out letters to 974 patients from 2003 to 2018 whose information’s were exposed due to the data breach. According to Dellit, mailing is going to people in all 50 states and will cost over $1 million.
Affected patients were not notified of the data breach for over two months because the University of Washington Medicine was trying to discover what happened, identify all affected patients, and set up support for them, which include a call center and a website.
In addition, Dellit said initial findings reveal that there is no evidence of information misuse. Therefore, the actual risk is very low.
The university has already contacted a cyber security firm, known as Crysis Group to examine and verify that no other information is still available online. It has also reported the data breach to the U.S. Department of Health and Human Service’s Office for Civil Rights.
In a swift reaction, King County Councilmember, Reagan Dunn, said he would be introducing legislation which calls for members to investigate this data breach by the University of Washington Medicine and responses, including the time it took to get affected patients informed of this uprising.
According to him, the data breach is a massive abuse of public trust in this era of big data where organizations that have access to private data must ensure there is a higher level of accountability.
In 2013, the federal agencies also investigated the University of Washington Medicine after a cyber attack led to data breach which exposed patient social security numbers, contact information, and insurance information. In that case, the institution agreed on a collective action plan and a $750,000 settlement with the agency.
The University of Washington Medicine includes Harborview Medical Center, the University’s medical school, Northwest Hospital, the UW Medical Center, Valley Medical Center and various neighborhood clinics that are located at the Puget Sound region.