A database error late last year exposed the personal information of nearly a million patients, University of Washington Medicine said Wednesday.
The healthcare network, which employs nearly 30,000 providers in the Pacific Northwest and does 64,000 admissions annually, said the problem was spotted by a patient who Googled their own name and stumbled across a file with the information.
The files didn’t contain medical records, financial information or Social Security numbers, according to a UW Medicine statement. Because of this, the provider said the risk of identity theft was low.
However, in some cases, the files contained the name of a lab test that was performed or a research study that included the name of a health condition.
“There is no evidence that there has been any misuse or attempted use of the information exposed in this incident,” UW Medicine said.
The records became searchable in early December and remained public until the vulnerability was spotted three weeks later, on Dec. 26. Human error led to the exposure.
UW Medicine worked with Google to scrub the information from search results and remove saved versions of the files, a process that completed on Jan. 10. The health system is sending letters to the 974,000 patients who were affected.
“We regret that this incident occurred and sincerely apologize for any distress this may cause our patients and their families,” the provider said. “UW Medicine is committed to providing quality care while protecting patients’ personal information. We are reviewing our internal protocols and procedures to prevent this from happening again.”
“This is not the most damaging healthcare data breach I’ve seen, and the response from the University of Washington is quite good,” Corey Nachreiner, CTO at Seattle cybersecurity company WatchGuard Technologies, said in an email. “The worst case scenario seems to be that a patient’s health condition could be exposed. Not good, but not necessarily something criminals can monetize easily.”
“This is a breach of data, but it’s also a massive breach of the public’s trust,” Dunn said in a statement. “That’s why I am immediately introducing legislation requesting the County Executive to form a commission to investigate what went wrong, why it happened, and how to ensure this never happens again. The public deserves so much better.”
The UW Medicine network includes Harborview Medical Center, UW Medical Center, Valley Medical Center and others.
Patients with questions can visit a dedicated website or call (844) 322-8234.