UW Medicine Notifying Nearly 1 Million Patients of Data Exposure

A misconfigured database at UW Medicine in Washington state that left patient data exposed on the internet for several weeks resulted in a breach affecting 974,000 individuals.

UW Medicine says in a statement that on Dec. 26, 2018, it became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018.

The mistake was discovered by a patient who was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine, a Seattle, Washington-based academic medical system that includes several hospitals and a large physician practice plan.

No Simple Answer

Unfortunately, there is no simple way to completely prevent misconfiguration mishaps, such as the one at UW Medicine, says Mark Johnson of the consultancy LBMC Information Security.

“It highlights that the basics of configuration management, involving cybersecurity in that process, vetting and reviewing each change, and validating that the change was done correctly might have prevented this instance,” he says.

“However, no technology or process will 100 percent prevent human error. These steps will reduce the likelihood of it – but not eliminate it. ”

Some industry researchers predict that 80 percent of cloud data breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, rather than cloud provider vulnerabilities, by 2020, Johnson says.

“Therefore, I believe it [misconfiguration] will become more common still due the complexity of the healthcare technical environment and the push to give patients greater access and accounting of their protected health information,” he says.

Read the full article