Class Action Lawsuit Filed Against UW Medicine Over 974,000-Record Data Breach

The latest lawsuit filed in King County Superior Court was against the University of Washington Medicine for a data breach that resulted in the exposure of the protected health information (PHI) of patients.

The legal action was filed because a misconfigured server resulted in a data breach in December 2018 and the exposure of the PHI of 974,000 patients over the web. An accounting of disclosures database was stored in the misconfigured server. The information potentially exposed included the names of patients, medical record numbers, a listing of entities who were given patient data, and the purpose of information disclosure. A number of people also had compromised their data associated with a research study they took part in, their health problem, and the name of the laboratory test done. For selected patients, there was sensitive information compromised, such as the HIV test-taking record of a patient and, in certain instances, the HIV standing of patients. There were no Social Security numbers, financial data, medical insurance data, and medical files exposed.

The server misconfiguration happened on December 4, 2018. UW Medicine was informed about the breach after a patient found a file that contains their medical information indexed by Google. On December 26, 2018, UW Medicine identified and fixed the misconfiguration.

UW Medicine stated in a press release given on February 20, 2019 that access to the database was not secured for three weeks. UW Medicine collaborated directly with Google to have all indexed data removed from Google’s servers, which was completed on January 10, 2019.

The lawsuit alleges that UW Medicine neglected and failed to appropriately secure the PHI of its patients and didn’t notify patients immediately after the breach of PHI. Allegedly, patients suffered injury, distress, and damage of reputation because of the breach, and had a greater risk of identity theft, abuse, and fraud.

The lawsuit likewise mentions a previous UW Medicine data breach as additional evidence of ineffective data security practices. The previous data breach in 2013 was a malware infection that happened after an employee clicked open an infected email attachment. That malware attack affected 90,000 patients.

The HHS’ Office for Civil Rights investigated the breach and found UW Medicine’s violation of the HIPAA Security Rule. UW Medicine failed to employ sufficient policies and procedures to stop, identify, control, and resolve security violations. UW Medicine resolved the case in 2015 by paying OCR $750,000 and agreeing to follow a corrective action plan, which involved doing a comprehensive analysis of security risks and vulnerabilities and create a company-wide risk management plan.

The plaintiffs in the lawsuit alleged that UW Medicine’s ineffective security practices have already exposed the PHI of about one million patients, far exceeding the impact of the 2013 breach, in infringement of its statutory and expert standard of care responsibilities, in infringement of Plaintiffs and the Class’ reasonable expectations when they made a decision to create a patient-doctor partnership with UW Medicine, and thus reducing the worth of the services UW Medicine given and that its patients spent for.

The lawsuit seeks total disclosure concerning the data that was exposed, statutory damages and legal service fees, and demands UW Medicine to follow enough safe practices and measures to stop more data breaches later on.