Lawsuit Claims HIV Data Exposed in LeakLegal Action Stems From Misconfigured Database at UW Medicine
A lawsuit seeking class action status filed against UW Medicine in the wake of a data leak incident has been amended to reflect that at least one HIV patient allegedly had their data exposed.
The lawsuit alleges UW Medicine, a Seattle-based academic medical system that includes several hospitals and a large physician practice, failed to properly protect PHI when it misconfigured a database, leaving nearly 974,000 patients' information exposed to the internet for several weeks.
The plaintiffs are seeking "orders requiring UW Medicine to fully and accurately disclose the precise nature of data that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent similar incidents in the future."
Local news broadcaster KIRO 7 recently reported at least one UW Medicine patient had their HIV-related information exposed as a result of the misconfiguration. The lawsuit was updated to reflect the alleged exposure of HIV-related data.
"Through discovery and public record requests, the plaintiffs have confirmed that the exposed information included information reflecting a patient's HIV test-taking history and even status, along with medical record numbers, names, and other sensitive patient-accounting information," the amended complaint alleges.
In a statement provided to Information Security Media Group, attorney John Bender of Corr Cronin LLP, the law firm representing plaintiffs in the case, says: "Patients expect their healthcare provider to keep their information safe. Based on our investigation, that didn't happen here. Our clients want to make sure that something like this never happens again."
UW Medicine did not immediately respond to ISMG's request for comment on the lawsuit.
Data Leak Discovery
In a statement issued last year, UW Medicine said it became aware of the data exposure on Dec. 26, 2018, "when a patient was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine.
UW Medicine said in the statement that "a vulnerability on a website server ... made protected internal files available and visible by search on the internet on Dec. 4, 2018."
The recently amended lawsuit, originally filed in October 2019, alleges that UW Medicine failed to properly secure and safeguard the PHI of approximately 974,000 patients, "including without limitation, patient names, medical record numbers and other healthcare data." It also alleges that the organization failed "to provide timely, accurate and adequate notice to plaintiffs and the class that the confidentiality of their information had been breached."
A Growing Problem?
The lawsuit says that data exposure tied to misconfigured IT is a growing problem.
"Third parties harvest personal information through intrusive hacking attempts or simply by using Google or software downloadable online to scour the internet for unsecured and/or misconfigured databases," the lawsuit says. "Misconfigured and/or unsecured databases, like the one at issue here, plague the healthcare sector at alarming rates."
Some of the largest health data breaches reported to federal regulators last year involved misconfigured IT. That includes a data leak reported by Puerto Rico-based clearinghouse and cloud services provider Inmediata Health Group last April that affected about 1.6 million individuals.
Plus, Texas Health Resources filed 15 breach reports related to a misconfigured billing system that caused a mailing mishap impacting a total of 83,000 individuals.
Healthcare entities must take proactive steps to avoid misconfiguring databases containing electronic protected health information, says independent privacy and security attorney Maggie Hales, who is not involved in the UW Medicine case.
"For example, the HIPAA Security Rule requires regular information system activity review, periodic technical and non-technical evaluations of the security of electronic PHI, regular review of the integrity of ePHI in electronic information systems, and audit controls," she says.
Privacy attorney David Holtzman of the security consultancy CynergisTek offers a similar assessment. "The incident involving University of Washington should remind us to remember the 'Golden Rule' of safeguarding the information security of personally identifiable information," he says.
"Any organization creating or maintaining sensitive personal information should perform an enterprisewide risk assessment that includes penetration tests and vulnerability scanning to identify the security gaps to the confidentiality, integrity and availability to the data. Use the risk assessment to develop a plan of action that prioritizes those areas that pose the highest risk of compromise to the information system."
Often the root cause of the misconfiguration of web servers, firewalls and FTP sites is a lack of policies and procedures related to change management, Holtzman notes. The application of patches and updates can sometimes interfere with other information security technologies previously put into place to safeguard sensitive data, he adds.
"It is crucial for organizations that handle sensitive personally identifiable information to put into place change management policies and procedures that include the testing of the security of the information system before putting the system into production," Holtzman says.
"Performing regular vulnerability scans and penetration testing provides a layer of protection designed to identify and pinpoint when a failure to secure a server, firewall or FTP site has left the data vulnerable to unauthorized access or disclosure."
When UW Medicine reported the incident to the Department of Health and Human Services in February 2019, the healthcare organization noted that the files involved in the breach contained protected health information that the organization is legally required to track. That includes information required for UW Medicine to comply with Washington state reporting requirements.
"The database is used to keep track of the times UW Medicine shares patient health information that meets certain legal criteria," the organization said in a 2019 statement. The most common reasons involve situations where UW Medicine is required by Washington state law to share patient information with public health authorities, law enforcement and Child Protective Services, the organization noted.
"Another common example is when a researcher receives approval to access medical records to determine whether a patient may be eligible for a research study or to recruit participants. The researcher must document in the database when they access the medical record," the statement adds.
UW Medicine noted in its statement that because Google had saved some of the files before Dec. 26, 2018, the institution worked with Google to remove the saved versions and prevent them from showing up in search results. All saved files were removed from Google's servers by Jan. 10, 2019, UW Medicine said.
The amended lawsuit contends that individuals' data was left exposed on the internet for more than one month and that UW Medicine was not forthcoming about the sensitive data, such as HIV test information, that was exposed.