Misconfigured Server Exposes Nearly 1 Million Patient Records

Over 974,000 people are being notified by The University of Washington Medicine. For a three-week period in December, their information was exposed on the internet. A misconfigured server on the UW Medicine database was the cause of the breach. A patient discovered the leaked information while doing a Google search on themselves and contacted the hospital.

Exposed data included highly sensitive patient information including names, lab test orders, and health conditions. Social security and financial information were not exposed according to the hospital, Susan Gregg, a spokeswoman for the hospital stated, “we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident.”

The breach has been reported to the Office for Civil Rights (OCR) as required by HIPAA. This puts the hospital on the dreaded “Wall of Shame” – The HIPAA Breach Reporting Tool (HBRT), a public list of data breaches maintained by the U.S. Department of Health and Human Services. UW Medicine also worked with Google to remove the information from search results.

What would happen if your company was hit with a HIPAA violation? Would it survive? If you haven’t gotten your copy yet, you need to read Craig Petronella’s book, How HIPAA Can Crush Your Medical Practice