[BreachExchange] Misconfigured database exposes 974, 000 University of Washington Medicine patients

[Destry Winant]

https://www.scmagazine.com/home/security-news/data-breach/misconfigured-database-exposes-974000-university-of-washington-medicine-patients/

Almost one million University of Washington (UW) Medicine personal
health information files were exposed for most of December 2018 due to
a misconfigured database.

The healthcare facility reported a website server was searchable on
the internet from December 4-26 containing the data on 974,000
patients. UW said the delay in reporting the data breach was due to
the time it took to conduct the initial investigation.

The files contained patient names, medical record number, with whom UW
Medicine shared the information, a description of what information was
shared (For example, “demographics”, “office visits” or “labs”) and
the reason for the disclosure, such as mandatory reporting or
screening to see if you qualified for a research study, UW said. In
some cases, the files included the name of a lab test that was
performed (but not the result) or the name of the research study that
included the name of a health condition.

The files did not contain specific medical records, patient financial
information or Social Security numbers.

“At this time, there is no evidence that there has been any misuse or
attempted use of the information exposed in this incident,” UW said in
a statement.

The issue was discovered by a patient who Googled their name and
uncovered their medical file and reported this finding to UW. The
database was left open due to human error, UW said, and was locked
down on December 26. The school also worked with Google to remove any
cached information that it had retained.

UW is now in the process of notifying the victims.