Misconfigured database leads to major data breach at UW Medicine

Seattle-based UW Medicine is notifying close to 1 million patients of a database configuration error that exposed their protected health information on the internet for several weeks..

UW Medicine said in a statement that it became aware of a vulnerability on a website server on Dec. 26, 2018 that made protected internal files temporarily available on the internet. Those files had become visible for search beginning three weeks prior, on Dec. 4, 2018.

The files contained personal health information (PHI) that UW Medicine is legally required to track in compliance with Washington state reporting requirements, the health system said.

The error was discovered by a patient who was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine.

The health system said once it learned of the exposed files on the internet, it took immediate steps to fix the error and remove the information from the site and to remove saved information from any third-party sites. “Google had saved some of the files before Dec. 26, 2018, so UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results. All saved files were completely removed from Google’s servers by Jan. 10, 2019,” the health system said.

RELATED: HHS' Office for Civil Rights reports $28.7M in payments for record HIPAA enforcement year

The files became accessible on Dec. 4 due to an internal human error, UW Medicine said. “At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident,” officials said.

UW Medicine is an academic medical system that includes several hospitals and a large physician practice plan. Health system officials said the breach was reported to the Department of Health and Human Services Office for Civil Rights, but the incident has not yet been posted to the OCR breach notification portal. The data breach, potentially impacting 974,000 patients, could be the largest so far in 2019.

The misconfigured database is used to keep track of the times UW Medicine shares patient health information that meets certain legal criteria. UW Medicine is required to track this information by the HIPAA law, which is overseen by the Office for Civil Rights, the health system said.

The electronic files that were exposed contained patients’ names, medical record numbers, names of the persons or entities UW Medicine shared the patient information with, a description of what information about the patient was shared, such as office visits or labs, and the reason for the disclosure, such as mandatory reporting or screening for research studies. The files did not contain any medical records, patient financial information or Social Security numbers.

RELATED: Millions of Atrium Health patient records breached by hackers

“In general, the files described what parts of your medical record were shared, not your actual health information," UW Medicine said in a statement to patients on its website. "In some instances, the files included the name of a lab test that was performed (but not the result) or the name of the research study that included the name of a health condition.”

Many healthcare breaches can be traced to misconfigured databases, servers and other IT, and some breaches involving misconfigurations have resulted in significant HIPAA settlements with OCR.

A recent report estimated that 30% of healthcare databases are misconfigured and accessible online. In that report from cyberintelligence firm Intsights, researchers looked at how hackers are tracking down healthcare personally identifiable information data on the darknet. The researchers found 1.5 million patient records exposed, at a rate of about 16,667 medical records discovered per hour.

Santa Barbara, California-based Cottage Health agreed to pay $3 million to OCR stemming from reported breaches of unsecured electronic PHI affecting over 62,500 individuals in 2013 and 2015. Those separate breaches resulted from errors or misconfigurations to servers and databases that made ePHI fully accessible on the internet, according to the OCR resolution agreement (PDF).