The University of Washington Medicine is facing a lawsuit filed in King County Superior Court with regards to a data breach that caused the exposure of patients’ protected health information (PHI).
The filed lawsuit over a data breach in December 2018 was because of a misconfigured server. The PHI of 974,000 patients was potentially exposed over the web and might have included the patients’ names, medical record numbers, a list of entities who got access to the patient data, and the reason for disclosing the information. Several people likewise had compromised their information connected with a study they participated in, their health condition, and the name of the lab test performed. For particular patients, more sensitive information was compromised, for instance, the HIV test-taking log of a patient and, in some circumstances, a patient’s HIV status. No Social Security number, medical insurance information, financial details, and medical file were compromised.
The server misconfiguration took place on December 4, 2018. UW Medicine received an alert regarding the breach right after a patient located a file that has their medical data indexed by Google. UW Medicine determined and resolved the misconfiguration on December 26, 2018.
UW Medicine mentioned in a February 20, 2019 press release that access to the database located in the server wasn’t safe for three weeks. Google and UW Medicine collaborated directly with each other to have all indexed information taken out from Google’s servers. The collaboration was concluded on January 10, 2019.
The lawsuit claims that UW Medicine’s negligence led to its failure to appropriately protect the PHI of its patients and it was unable to alert patients quickly after the PHI breach. Allegedly, patients sustained injury, stress and reputation damage due to the breach and face a bigger risk of identity theft, fraud, and abuse.
The lawsuit similarly mentioned an earlier UW Medicine data breach that affected 90,000 patients to prove its inadequate data security controls. The past data breach in 2013 involved a malware infection that transpired after staff opened the compromised email attachment.
The HHS’ Office for Civil Rights looked into the UW Medicine breach and determined that it violated the HIPAA Security Rule. UW Medicine was unable to execute ample policies and procedures to prevent, discover, control, and handle security violations. UW Medicine settled the case in 2015 after paying $750,000 to OCR and making an agreement to follow a corrective action plan that involved doing complete security risks and vulnerabilities analysis and making an organization-wide risk management plan.
The lawsuit plaintiffs claimed that UW Medicine’s inadequate security practices have compromised the PHI of around one million patients, violating its statutory and expert standard of care obligations, in violation of Plaintiffs and the Class’ reasonable expectations while they decided to make a patient-doctor collaboration with UW Medicine, and therefore cutting down the value of the services provided by UW Medicine to its paying patients.
The lawsuit wants total disclosure regarding the information that was exposed, including legal service fees, statutory damages, and other demands to adhere to adequate UW Medicine safety techniques and procedures to help you quit resolve data breaches down the line.