On December 26, 2018, University of Washington School of Medicine in Seattle, Washington was notified that their database had been misconfigured, resulting in a breach affecting approximately 974,000 individuals, the largest health breach of 2019. UW Medicine was first notified of this error on December 4, 2018 after a patient performed a Google search for their own name and found a file online containing some of their information through UW Medicine visible on the internet. This information contained protected health information that UW Medicine is legally required to track for statewide reporting compliance, including patients’ names, medicine record numbers, and a description and purpose of the information shared for regulatory reporting purposes. UW Medicine has advised that it will not provide free credit or ID monitoring services because the exposed information did not contain Social Security numbers, patient financial information or medical records.
This breach is the latest healthcare organization breach involving misconfigured IT. While UW Medicine worked with Google to remove all data and prevent it from showing up in search results by January 10, 2019, it demonstrated that misconfigured databases, servers and IT continue to be common culprits within heath data security incidents. Similar breaches have resulted in significant HIPAA settlements, although there have been no discussions that such a settlement will be reached in this matter.
Misconfiguration incidents tend to occur due to a database change or update that is tested only for functionality and not security. While there is no simple measure to entirely prevent such mistakes, by checking a list of key security attributes to confirm that they are all still intact after a change is completed could help such avoid breaches in the future. Although this prevention technique seems like a simple task, remembering to take this extra step of precaution to vet and review each database change prior to releasing it could stop breaches before they happen.