U. of Washington incident puts cybersecurity at forefront in healthcare
Unfortunately, data breaches are nothing new at this point, as it seems every week or so the news reports another company or database compromised to the tune of tens of thousands of customers having their personal info leaked or made public.
The problem took center stage in the world of healthcare last month, when the University of Washington announced that nearly one million (974,000 to be exact) medical patients were affected by a breach that released some names medical record numbers and other information on the Internet last December.
While letters were distributed through the mail to those affected, hospital personnel were quick to clarify that files released did not contain any medical records, patient financial information of Social Security numbers.
“UW Medicine became aware of a vulnerability on a website server that made protected internal files available and visible via a search on the internet on Dec. 4, 2018,” spokeswoman Susan Gregg said in a statement. “The files contained protected health information (PHI) about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies in compliance with Washington state reporting requirements.”
UW Medicine became aware of the incident the day after Christmas when a patient performed a Google search for their own name and came across a file. They reported their discovery to UW medicine, who began researching the issues and found that part of medical records were shared, but not actual health information. For instance, the files would often include the name of a lab test, but not the test’s result.
“The database is used to keep track of the times UW Medicine shares patient health information that meets certain legal criteria,” UW representatives explained in a Q&A document created shortly after the incident. “UW Medicine is required to track this information by the HIPAA law, which is overseen by the Office for Civil Rights.
The most common reasons involve situations where UW Medicine is required by Washington state law to share patient information with public health authorities, law enforcement and Child Protective Services.”
The breach at the University of Washington has made headlines early in 2019, but it’s far from the only one of its kind. Here’s a look back at some large U.S. data breaches over the past decade:
State Government: State of Texas (April 2011; 3.5 million affected)
The beginning of the decade served as the ‘early days’ of data breaches, and the state of Texas learned a hard lesson when sensitive information was inadvertently stored on a public server, leading to the compromise of 3.5 million Texans’ personal information, including Social Security numbers, dates of birth and driver’s license numbers.
The information breach was the most extensive ever in Texas, and at the time, one of the largest of its kind nationally. The source of the breach was the state Comptroller’s office, where numerous employees were terminated in the aftermath.
Travel: Marriott International (Between 2014–2018; approximately 500 million customers affected)
In November 2018, Marriott International announced that cyber thieves had stolen data on approximately 500 million customers. The breach initially occurred on systems supporting Starwood hotel brands 2014 but remained undiscovered when Marriott acquired Starwood in 2016 and stayed undetected until September 2018.
Some victims had only names and contact information were compromised. But the attackers were able to take some combination of contact info, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. In all, Marriott believes that credit card numbers and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.
Eventually tracked to a Chinese intelligence group attempting to gain information on Americans, this incident stands as the largest breach conducted by a nation.
Credit reporting: Equifax (July 29, 2017; about 143 million affected)
The incident that really put data security on the map—two summers ago, Equifax, a giant in the world of U.S. credit reporting, admitted that birth dates, social security numbers, home addresses, and other sensitive information had been compromised, with about a quarter-million credit card numbers stolen to boot.
After the Equifax breach, the focus turned to what happened to the stolen information—how was it used? The information never appeared on underground websites, there was no rash of identity thefts. Eventually, speculation emerged that like the Marriott incident, a foreign government might be behind the cyberattack in an attempt to gain information that could be of some benefit. What benefit? Opinions vary.
Later investigation by the United States Congress exposed evidence that Equifax had neglected cybersecurity for years—a common realization in these cases. Despite all the attention paid to data breaches and identity theft, some surprisingly large companies still fail to take such threats seriously until it’s too late.
Other experts believe the problem isn’t negligence so much as overconfidence—once a security system is installed, executives and employees believe the problem is solved, and fail to run their own checks to ensure things are running properly. We’ll discuss this and other potential solution in Part 2 of this article, which will address how healthcare organization are ensuring they won’t become the next victim.