UW Medicine Hit with Lawsuit for Breach Impacting 974K Patients

About 974,000 UW Medicine patients were impacted by a breach caused by a misconfiguration error that lasted for several weeks; the lawsuit claims the health system did not provide accurate notice.

The University of Washington Medicine is facing a class-action lawsuit following its disclosure of a patient data breach that impacted 974,00 patients.

According to the lawsuit filed in the King County Superior Court, patients alleged that UW Medicine failed to properly secure and safeguard their protected health information and did not provide timely or accurate notice that their data had been breached.

In February, the provider reported patient data had been left exposed on the internet for three weeks due to a misconfigured server. Officials said they did not discover the mistake until a patient notified UW Medicine that they’d found a file containing their data through a Google search.

The investigation that followed revealed the employee error left the data exposed from December 4 to December 26. The information was then removed from the site and from saved information on third-party sites.

“Because Google had saved some of the files before December 26, 2018, UW Medicine worked with Google to remove the saved versions and prevent them from showing up in search results,” officials said, at the time. “All saved files were completely removed from Google’s servers by Jan. 10, 2019.”

The database kept track of when UW Medicine shared patient health information, as required by HIPAA. Data sharing commonly occurred with public health authorities, Child Protective Services, and law enforcement.

The compromised data did not include Social Security numbers, financial data, or medical records. Rather, patient names, medical record numbers, the party who received the data, and a purpose of the information were exposed. For some, the lab test (not the results) and the research study and health condition were breached.

The lawsuit is seeking to require UW Medicine to fully and accurately disclose “the precise nature of data that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent incidents like the one described herein occurring in the future.”

“The breach not only revealed that UW Medicine failed to provide the level of data protection it promised and that its patients paid for, but this was not the first time UW Medicine has exposed the PHI of its patients due to inadequate information security practices,” according to the lawsuit.

In 2013, the provider reported a breach of about 90,000 patient records to the Department of Health and Human Services. A malware infection compromised a computer containing a trove of PHI.

UW Medicine settled with HHS in 2015 for $750,000 and a corrective action plan, as the Office for Civil Rights audit found “did not ensure that all of its affiliated entities were properly conducting risk assessments and appropriately responding to the potential risks and vulnerabilities in their respective environments.”

The lawsuit claims UW Medicine failed to implement the measures recommended after the previous breach. Further, they argue that waiting nearly two months to report the breach to patients violated Washington state law. Under HIPAA, UW Medicine had up to 60 days to report.

“Through discovery and public record requests, plaintiffs have confirmed that the exposed information included information reflecting a patient’s HIV test-taking history and even status, along with medical record numbers, names, and other sensitive patient-accounting information,” the lawsuit claims.

“Moreover, discovery has confirmed that at the time it notified the victims and the public about the breach, it knew that the exposed database had been accessed by unauthorized parties but told the victims and the public that there was nothing to worry about and no evidence of harm,” it adds.

The breach victims argue that UW Medicine has put them at risk of identity theft, fraud or abuse, as well as reputational loss and distress. They are seeking statutory damages, attorneys’ fees.

This is the second breach lawsuit filed in the last week. Hackensack Meridian Health was sued following a ransomware that drove the health system offline for several days in December. The frequency of these filings has rapidly increased with at least six breach lawsuits filed in the last two months.

Next Steps

Dig Deeper on Healthcare data breaches