UW Medicine data breach: Approximately 974,000 affected patients

Approximately 974,000 University of Washington medical patients are affected by a data breach that released some names medical record numbers and other information on the Internet last December.

UW Medicine is in the process now of distributing letters to those affected with the report of the data breach.

Hospital staff said files released did not contain any medical records, patient financial information of Social Security numbers.

King County Councilmember Reagan Dunn is introducing legislation Wednesday afternoon calling on the County Executive to create a commission to investigate UW Medicine’s potential breach of public health records.

“This is a breach of data, but it’s also a massive breach of the public’s trust,” Dunn said in a statement. ”That’s why I am immediately introducing legislation requesting the County Executive to form a commission to investigate what went wrong, why it happened, and how to ensure this never happens again. The public deserves so much better.”

“UW Medicine became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018,” spokeswoman Susan Gregg said in a statement. “The files contained protected health information (PHI) about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies in compliance with Washington state reporting requirements.”

Megan Flory told KIRO 7 she accessed some of the UW Medicine files through a Google search last month after a friend discovered the exposed personal information when looking up a person’s name she’d met.

“Upset about something she'd stumbled across online,” said Flory. “It clearly said it was UW Medicine.”

Flory said there were as many as 120 names in the UW Medicine files she accessed through a Google search that also included the names of those patient’s lab tests but not the results.

“HIV was one of them?” asked KIRO 7 reporter Michael Spears.

“That was what they all were, pretty much,” said Flory. "If you don't know what it means, it’s maybe easier to kind of assume it's the worst."

Flory said she then spoke with a woman at UW Medicine to report what she’d found online.

"Having things out on Google like that is scary,” said Flory. “You know it could be upsetting or devastating for somebody.”

Gregg said when UW Medicine learned of the files exposure to the Internet, “we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident.”

Follow this link to read a Q-and-A from UW Medicine about the data problem.

More news from KIRO 7