Two university health systems, two massive data breaches
University of Washington (UW) Medicine in Washington state is notifying 974,000 patients about a data breach which left their health information exposed online for weeks. This follows a recent breach announced by the University of Connecticut (UConn) Health which affected 326,629 individuals in December.
According to UW Medicine’s statement, a misconfigured database led to protected internal files being made available online and visible by internet search. The breach was discovered on December 26, 2018, when a UW student was Google searching their own name and discovered a file containing their information. The files contained protected health information (PHI) including patient names, medical record numbers, and data indicating when medical records were accessed.
Further investigation found that the files in the database were publicly accessible beginning on December 4, 2018, due to a human coding error. After learning about the breach, UW Medicine took corrective measures and worked with Google to remove saved versions of the exposed files as a way to prevent them from appearing in search results. UW Medicine is also distributing letters to all 974,000 individuals affected by the breach.
The incident has not yet appeared on the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, but it is expected to the be the biggest breach reported so far in 2019.
Another large-scale breach at a university health system was discovered on December 24, 2018, according to a statement from UConn Health. This incident occurred when an unauthorized third party accessed a limited number of employee email accounts, which compromised the data of more than 326,000 individuals. PHI exposed in the breach included names, dates of birth, addresses, billing information, appointment information, and, for some accounts, Social Security numbers.
After learning about the incident, UConn Health took steps to secure the impacted email accounts to prevent further access. It also hired a forensic security firm to conduct a search for any personal information that was exposed in the breach. UConn Health has determined that the incident did not impact the electronic medical record system or other computer systems. Affected individuals have also been notified of the breach by mail.