Imagine that your most private medical information is suddenly available worldwide on the internet.
That’s what happened to nearly a million UW Medicine patients, including a man who recently spoke with KIRO 7 on the condition his identity would be protected.
“I trust that what I say and do at the doctor’s office will be between me and my doctor,” he said. “I felt like they violated that trust.”
The huge data breach -- one of the largest in state history – occurred because of human error and was first reported by KIRO 7 in February of 2019. Because of the breach, private medical files were available online – in Excel spreadsheets -- for nearly three weeks.
The breach has now led to a class-action lawsuit that could eventually represent all 974,000 patients whose names and personal health information were compromised.
The man who spoke with KIRO 7 said the fact he’d had an HIV test was publicly available.
“My heart sank because I was already embarrassed to ask my doctor for the test,” he said. “I have no idea what will be done with that information today or ever.”
KIRO 7 obtained a cellphone screen-grab of one of the compromised spreadsheets. It clearly shows patients’ names and health information, including diagnoses, treatment information, who might have visited the ICU, emergency room and more. The information was also very easy to access.
The Excel spreadsheet was found by a KIRO 7 employee researching a romantic interest. When she did a simple Google search using just the man’s name, a spread sheet that appeared on her computer screen revealed the man had taken an HIV test.
The KIRO 7 employee told her friend, Megan Flory, who contacted UW Medicine.
Flory said, when she called UW Medicine an employee told her “they were aware of it and thanks for calling, and they’re trying their best” to get the information removed.
“Having things out on Google like that is scary,” Flory added.
KIRO 7's February 2019 interview with Flory is detailed in the class action lawsuit as alleged evidence UW Medicine's "database had been accessed by other third parties, and that the exposed data included patient information related to HIV."
The accessible Excel spreadsheets did not include financial or Social Security information, according to a UW statement at the time.
The information also did not include medical test results.
However, the man who spoke with KIRO 7 says results don’t matter.
“There are still stigmas attached to an HIV test, whether it be drug habits, sexual orientation, which is no one’s business.”
“It’s simply unacceptable that that is right out there in the public for someone to potentially use against me,” he added.
John Bender of Corr Cronin LLP in Seattle represents two plaintiffs – both UW Medicine patients -- in the class action lawsuit. His concern for his clients, and all UW Medicine patients, is, “we know there are malign actors surfing the internet, compiling information about people. And when you’re talking about sensitive health care data, that information can be used to blackmail people. It can be used to discriminate against people. There are a ton of risks.”
KIRO 7 asked UW Medicine for an on-camera interview to discuss the complaint but that request was denied.
Instead, Tina Mankowski, senior director of internal communications and media r elations for UW Medicine, emailed the following statement:
"UW Medicine takes patient privacy very seriously. As soon as we learned about the data exposure, we took immediate steps to assess and eliminate the exposure, conducted a thorough investigation, and provided timely notice to possibly affected patients. We believe any risk to individuals of identity theft or medical fraud is negligible due to the type of information exposed, which did not include Social Security numbers or financial information. In the year since the incident occurred, we have seen no misuse of the data.
“We have implemented several enhancements to our IT security practices to prevent a similar incident from recurring. We regret this incident and apologize for any distress this exposure may have caused our patients and their families.”
The patient who spoke with KIRO 7 said, even though UW Medicine has “seen no misuse of the data,” his anxiety hasn’t decreased.
“No, in fact it’s gotten worse over time because people hold onto your information for a long time and they can still come at you at any moment with blackmail.”
Bender said a trial is set for spring of 2021.
For more information about the lawsuit, visit: https://www.uwmedicineclassaction.com/
© 2020 Cox Media Group