On February 20, University of Washington Medicine reported on its Website, as required by the HITECH Act Breach Notification Rule, that “[o]n Dec. 26, 2018, UW Medicine became aware of a vulnerability on a Website server that made protected internal files [containing protected health information (PHI) of approximately 974,000 affected patients] available and visible by search on the Internet on Dec. 4, 2018…. When we learned of the exposure of the files, we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites. At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident…. We are reviewing our internal protocols and procedures to prevent this from happening again.”
Two observations related to this security incident. First, this case reflects the finding in the recently released Verizon 2018 Data Breach Investigations Report that found that “[h]ealthcare is the only industry where the threat from inside is greater than that from outside: 56% internal, with 35% due to error.” Second, a review of the UW Medicine Website is a master class example of exactly the type of public notification that the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services requires.