Almost one million University of Washington (UW) Medicine personal health information files were exposed for most of December 2018 due to a misconfigured database.
The healthcare facility reported a website server was searchable on the internet from December 4-26 containing the data on 974,000 patients. UW said the delay in reporting the data breach was due to the time it took to conduct the initial investigation.
The files contained patient names, medical record number, with whom UW Medicine shared the information, a description of what information was shared (For example, “demographics”, “office visits” or “labs”) and the reason for the disclosure, such as mandatory reporting or screening to see if you qualified for a research study, UW said. In some cases, the files included the name of a lab test that was performed (but not the result) or the name of the research study that included the name of a health condition.
The files did not contain specific medical records, patient financial information or Social Security numbers.
“At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident,” UW said in a statement.
The issue was discovered by a patient who Googled their name and uncovered their medical file and reported this finding to UW. The database was left open due to human error, UW said, and was locked down on December 26. The school also worked with Google to remove any cached information that it had retained.
UW is now in the process of notifying the victims.
