Data Breach of the Month: UW Medicine

Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.

In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.

So without further ado, our breach of the month for February, 2019 is… the patient data left exposed by University of Washington Medicine.


What Happened?

On February 20, University of Washington Medicine, a network comprising a medical school and several medical centers and clinics, announced that it had inadvertently exposed personal data belonging to 974,000 patients in December of last year. The incident counted as a HIPAA breach.

The exposed database contained patient names, medical record numbers, and other descriptive information. Fortunately, no Social Security numbers, financial information, or full medical records were included, meaning there is a low risk of identity theft or other misuse of the information.

The breach was discovered when a patient stumbled across their own information in the results of a Google search. UW Medicine was made aware of the exposed data on December 26, and the data was completely removed from Google by January 10. The delay was more likely due to the complexity of permanently removing saved information from Google’s servers, rather than any foot-dragging on the part of UW Medicine.

The breach has been reported to the Office for Civil Rights at the Department of Health and Human Services. It is currently the fourth-largest breach listed on the OCR’s “wall of shame”.


How Did it Happen?

The exposed database was used to track the data that UW Medicine shares with other entities, such as public health authorities, law enforcement, or researchers for use in the assessment of eligibility for studies. A coding error made when moving the data to a new server left the database misconfigured. The data was visible to the public online for at least three weeks.

While the data that was compromised in the breach was not as damaging as the data in many other notable breaches, the scale of the breach has drawn scrutiny. A local politician has introduced legislation requesting an investigation into how the breach happened, and how future breaches can be prevented.


How to Minimize the Risk of this Type of Breach

This incident is not the first time that UW Medicine has come under scrutiny for poor information security. They previously paid a $750,000 fine to OCR in 2015 for failing to adequately protect patient data. A misconfigured database is most likely to result from a simple case of overlooked steps, particularly a failure for IT to follow the requirements of the security team.

A security operations platform like D3 might not directly help in this scenario, but a few of our capabilities are designed to minimize these types of mistakes during other processes—namely incident response, and investigations. The first is the concept of the playbook, which is at the core of the D3 system. While this can manifest as highly complex workflows that orchestrate security actions across dozens of security tools, in its simplest form, a playbook is a checklist. Using checklists is the simplest way to codify your organization’s experience and enforce adherence to policies. It may sound overly simple, but too many organizations fail to standardize processes in this way.

The second important capability is comprehensive audit logs. For our clients, this helps them produce evidentiary-quality data during audits, lawsuits, and regulatory reporting. It also allows them to look closely at how every incident was handled, facilitating learning and improvements over time. In a case like UW Medicine, audit logs serve an obvious purpose: they allow you to pinpoint where exactly the mistake took place, reducing misplaced blame and highlighting where changes need to be made in the future.

Finally, supporting better communication between IT and Security teams reduces the likelihood that security concerns will be overlooked by IT personnel. After all, IT personnel are increasingly taking on more security responsibilities. Look for tools that support collaboration instead of reinforcing existing silos. In D3’s platform, we enable communication and collaboration with features like case folders for collaborative investigations, the ability to require approvals from different teams for important actions, and role-based permissions that can grant temporary access to limited data sets to personnel outside of the security team when their input is needed.

Thanks for joining us. We’ll see you back here next month for a new Data Breach of the Month.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.