UW Medicine Patient Data Exposed by Website Vulnerability

UW Medicine in Seattle announced today that it became aware in late December that protected internal files containing protected health information became available and visible on the internet because of a vulnerability on a website server.

The exposed files included patients names, medical-record numbers and a description and purpose of the information although patient medical records, financial information and Social Security numbers were not compromised, according to a statement released by UW Medicine. The patient data has since been removed from the compromised website.

The files contained protected health information about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies, in compliance with Washington state reporting requirements, UW Medicine officials said in a statement.

Some 974,000 patients were affected by the data error, and the health care system which operates several hospitals, neighborhood clinics and a school of medicine is distributing letters to notify individuals whose records were exposed. In addition, the health system says it has retained a third-party vendor, ID Experts, to manage a call center and website to handle inquires from those affected by the data exposure.

At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident, the UW Medicine statement says. …We are reviewing our internal protocols and procedures to prevent this from happening again.