Medical data about nearly 1 million patients of the University of Washington Medicine was exposed online for at least three weeks in December, the school said in a statement this week.
Data about approximately 974,000 individuals was included, the school announced Wednesday. UW Medicine is sending letters to the affected patients and has notified the Office for Civil Rights at the U.S. Department of Health and Human Services.
A misconfigured database made visible patient names, medical record numbers, with whom the school shared patients’ medical information, and a description of what was shared, such as office vs. lab visits or patient demographic information. In some cases, exposed files included the name or a lab test that was performed, though not the result, or the name of a research study including the name of a health condition.
The information in question became accessible on Dec. 4, 2018 “due to an internal human error,” the school said. UW Medicine detected the issue on Dec. 26 after a patient found their own name and medical file on Google, the Seattle Times reported. The school says it responded immediately, though the medical data wasn’t removed from Google until Jan. 10, according to UW Medicine.
The Office of Civil Rights, which investigates breaches affecting more than 500 people, did not list UW Medicine among its cases currently under investigation.
“We regret that this incident occurred and sincerely apologize for any distress this may cause our patients and their families,” the school said in a statement.
But UW Medicine has been here before. The school in 2015 agreed to pay the Office of Civil Rights $750,000 to settle charges that it “potentially violated” the Health Insurance Portability and Accountability Act by failing to implement policies to “prevent, detect, contain and correct security violations.”
In that case, OCR initiated an investigation after the hospital system reported a breach in 2013 in which protected health information about 90,000 people was accessed after an employee downloaded malware.
“UW Medicine is reviewing their protocols and procedures to prevent this from happening again,” the school said this week after reporting its most recent breach. “They are committed to protecting patients’ personal health information[.]”