Governance & Risk Management , HIPAA/HITECH , Privacy
Lawsuit Claims HIV Data Exposed in Leak
Legal Action Stems From Misconfigured Database at UW MedicineA lawsuit seeking class action status filed against UW Medicine in the wake of a data leak incident has been amended to reflect that at least one HIV patient allegedly had their data exposed.
See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI
The lawsuit alleges UW Medicine, a Seattle-based academic medical system that includes several hospitals and a large physician practice, failed to properly protect PHI when it misconfigured a database, leaving nearly 974,000 patients’ information exposed to the internet for several weeks.
The plaintiffs are seeking “orders requiring UW Medicine to fully and accurately disclose the precise nature of data that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent similar incidents in the future.”
Local news broadcaster KIRO 7 recently reported at least one UW Medicine patient had their HIV-related information exposed as a result of the misconfiguration. The lawsuit was updated to reflect the alleged exposure of HIV-related data.
”Through discovery and public record requests, the plaintiffs have confirmed that the exposed information included information reflecting a patient’s HIV test-taking history and even status, along with medical record numbers, names, and other sensitive patient-accounting information,” the amended complaint alleges.
In a statement provided to Information Security Media Group, attorney John Bender of Corr Cronin LLP, the law firm representing plaintiffs in the case, says: “Patients expect their healthcare provider to keep their information safe. Based on our investigation, that didn’t happen here. Our clients want to make sure that something like this never happens again.”
UW Medicine did not immediately respond to ISMG’s request for comment on the lawsuit.
Data Leak Discovery
In a statement issued last year, UW Medicine said it became aware of the data exposure on Dec. 26, 2018, “when a patient was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine.
UW Medicine said in the statement that “a vulnerability on a website server … made protected internal files available and visible by search on the internet on Dec. 4, 2018.”
The recently amended lawsuit, originally filed in October 2019, alleges that UW Medicine failed to properly secure and safeguard the PHI of approximately 974,000 patients, “including without limitation, patient names, medical record numbers and other healthcare data.” It also alleges that the organization failed “to provide timely, accurate and adequate notice to plaintiffs and the class that the confidentiality of their information had been breached.”
A Growing Problem?
The lawsuit says that data exposure tied to misconfigured IT is a growing problem.
”Third parties harvest personal information through intrusive hacking attempts or simply by using Google or software downloadable online to scour the internet for unsecured and/or misconfigured databases,” the lawsuit says. “Misconfigured and/or unsecured databases, like the one at issue here, plague the healthcare sector at alarming rates.”
Some of the largest health data breaches reported to federal regulators last year involved misconfigured IT. That includes a data leak reported by Puerto Rico-based clearinghouse and cloud services provider Inmediata Health Group last April that affected about 1.6 million individuals.