Website Vulnerability Allows Open Access to Medical Records

2019, Breaches, February

Who: University of Washington Medicine

# of Accounts Breached: 974,000

When it Occurred: Dec. 4, 2018

What Happened: A vulnerability on a website server that made protected internal files available and visible by a ​search on the internet

How it happened: UW Medicine became aware of this incident on December 26, 2018, when a patient was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine. Name, Medical record number, With whom UW Medicine shared your information, A description of what information about you was shared (For example, “demographics”, “office visits” or “labs”), The reason for the disclosure, such as mandatory reporting or screening to see if you qualified for a research study

Outcome: Immediate steps were taken to remove the information from the site and appropriate measures were initiated to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident. UW Medicine is reviewing their protocols and procedures to prevent this from happening again and are fully committed to protecting patients’ personal health information and sincerely regret that this incident occurred and apologize for any distress this may cause patients and their families. This incident has been reported to the Office for Civil Rights and made a press announcement. UW Medicine is committed to providing quality care while protecting patients’ personal information.