UW Medicine Facing Breach Lawsuit

Written by

The University of Washington School of Medicine is facing a class-action lawsuit over a data breach that impacted 974,000 patients. 

Plaintiffs claim UW Medicine failed to "properly secure and safeguard" patients' personal health information (PHI), resulting in the exposure of data that included patient names, medical record numbers, and other healthcare data.

Earlier this month, UW Medicine reported that a misconfigured server had resulted in patient data's being exposed online for a three-week period. The breach was identified when a patient came across a file containing their own PHI data during a routine Google search and reported it to UW Medicine.  

After an internal investigation into the incident, UW Medicine found that an employee error had left a database containing patient data exposed from December 4 to December 6, 2018. 

"Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results," officials said at the time. "All saved files were completely removed from Google’s servers by January 10, 2019."

UW Medicine said that the compromised data did not include financial information or Social Security numbers. Data that was exposed included details regarding what tests patients had undergone. 

Judging from the wording of the complaint filed in King County Superior Court, the plaintiffs aren't certain exactly what information was exposed in the breach. Among other things, the plaintiffs are seeking an order that will require UW Medicine to "fully and accurately disclose the precise nature of data that has been compromised." 

Plaintiffs also want UW Medicine "to adopt reasonably sufficient security practices and safeguards" to prevent any further breaches from occurring in the future. 

In 2015, UW Medicine agreed to take corrective action and pay the Department of Health and Human Services $750,000 following a 2013 breach, which exposed 90,000 patient records. The healthcare provider said the incident was the result of a malware infection. 

An audit of UW Medicine conducted at the time by the Office of Civil Rights found that the healthcare provider did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.

What’s hot on Infosecurity Magazine?