The files contain patients' names, medical record numbers, a description of the information shared and a description of who it was shared with, UW Medicine said in a news release.

Share story

The medical files of nearly 1 million patients of University of Washington Medicine were visible on the internet for at least three weeks in December, UW Medicine said Wednesday.

The files, which were exposed Dec. 4 because of “an internal human error,” were records the hospital system uses to document when it shares patient information, for instance with public-health authorities or law enforcement.

The files contain patients’ names, medical-record numbers, a description of the information shared and a description of who it was shared with, UW Medicine said in a news release. They do not include specific health information, social security numbers or financial information, according to UW Medicine.

Some of the files contain the name of a lab test or the name of a research study. In those cases, the files may have noted specific conditions patients were tested or screened for, such as HIV or dementia, Dr. Timothy Dellit, chief medical officer at UW Medicine, said at a news conference.

While the files don’t disclose lab results or whether a patient qualified for a research study, Dellit said people could make indirect inferences from the information.

UW Medicine is in the process of sending letters to approximately 974,000 patients from 2003 to 2018 whose data was exposed. Dellit said the mailings, which are going to people in all 50 states, will cost around $1 million. He did not have a cost estimate for the full response to the breach.

It took nearly two months to notify patients because UW Medicine was working to understand what had happened, identify all potentially-affected patients and set up support for them, including a website and call center, Dellit said.

UW Medicine includes the University’s medical school as well as Harborview Medical Center, the UW Medical Center, Northwest Hospital and Medical Center, Valley Medical Center and more than two-dozen neighborhood clinics scattered around the Puget Sound region. A Valley Medical Center spokeswoman said their data is maintained separately and was not part of the data breach.

The hospital system discovered the error Dec. 26, after a patient searched online for their own name in Google and came across the file. UW Medicine said it immediately took down the files, but it had to work with Google to remove saved versions and prevent them from appearing in search results.

All saved files were removed by Jan. 10, UW Medicine said.

“We have no evidence of misuse of this information and we only have one patient who has been confirmed to have actually seen this information,” Dellit said. “At this time we believe the actual risk of that information being viewed is very low.”

The breach occurred when the data was being moved from one server to another, Dellit said. UW Medicine is still trying to determine whether the breach was the fault of specific employees or a failure in the system.

The organization has contracted with cybersecurity consultant Crypsis Group to examine its processes and verify that no other information is available online, he said.

King County Councilmember Reagan Dunn said he would introduce legislation calling for a commission to investigate the data breach and UW Medicine’s response, including the time it took to alert patients.

“This is a breach of data, but it’s also a massive breach of the public’s trust,” Dunn said in a written statement.

The legislation, which Dunn said was to be introduced Wednesday, would request the county executive to convene the commission. Dunn said he did not know if Attorney General Bob Ferguson, who has previously investigated data breaches at private companies, would be involved.

“In this era of big data, I think it’s important that there’s a higher level of accountability for organizations that have access to our most private data,” Dunn said.

Dellit said he was not aware of the potential investigation by the county but that UW Medicine hopes to work with the County Council going forward.

UW Medicine reported the breach to the U.S. Department of Health and Human Service’s Office for Civil Rights, which may conduct its own investigation, Dellit said.

The federal agency investigated UW Medicine after a cyber attack in 2013 led to a breach of data, including some patients’ contact information, social security numbers and insurance information. In that case, UW Medicine agreed to a $750,000 settlement with the agency and a corrective action plan.

Clarification: This post has been updated to note that Valley Medical Center maintains its data separately from UW Medicine and the date range of the files.