Breach Notification , Governance & Risk Management , HIPAA/HITECH
Misconfiguration Leads to Major Health Data BreachUW Medicine Notifying Nearly 1 Million Patients of Data Exposure
A misconfigured database at UW Medicine in Washington state that left patient data exposed on the internet for several weeks resulted in a breach affecting 974,000 individuals.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
UW Medicine says in a statement that on Dec. 26, 2018, it became aware of a vulnerability on a website server that made protected internal files available and visible by search on the internet on Dec. 4, 2018.
The mistake was discovered by a patient who was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine, a Seattle, Washington-based academic medical system that includes several hospitals and a large physician practice plan.
UW Medicine is just the latest healthcare organization to report a breach involving misconfigured IT. Similar mishaps have been reported by many others, including breaches that have resulted in enforcement actions by federal and state regulators.
To help avoid incidents involving misconfigured IT, organizations should add a step to their change management processes - check af list of key security attributes to ensure they're still intact after a change is completed, says Keith Fricke, principle consultant at tw-Security. "Such a practice may even uncover that security controls were missing before the change," he notes.
The misconfigured database at UW Medicine was the result of a coding error when data was being moved onto a new server, a UW Medicine spokeswoman tells Information Security Media Group.
The organization is not offering free credit or ID monitoring services because the exposed files contained no Social Security numbers, patient financial information or medical records, the spokeswoman says.
The files contained protected health information that UW Medicine is legally required to track to, for example, comply with Washington state reporting requirements, the statement says. The exposed information included patients' names, medical record numbers, and a description and purpose of the information shared for regulatory reporting purposes.
"The database is used to keep track of the times UW Medicine shares patient health information that meets certain legal criteria," the statement says. The most common reasons involve situations where UW Medicine is required by Washington state law to share patient information with public health authorities, law enforcement and Child Protective Services, the organization notes.
"Another common example is when a researcher receives approval to access medical records to determine whether a patient may be eligible for a research study or to recruit participants. The researcher must document in the database when they access the medical record," the statement adds.
"When we learned of the exposure of the files to the internet, we took immediate steps to remove the information from the site and initiated appropriate measures to remove saved information from any third-party sites," UW Medicine says in the statement. "At this time, there is no evidence that there has been any misuse or attempted use of the information exposed in this incident."
UW Medicine notes that because Google had saved some of the files before Dec. 26, 2018, the institution worked with Google to remove the saved versions and prevent them from showing up in search results. All saved files were completely removed from Google's servers by Jan. 10, 2019, UW Medicine notes.
Although UW Medicine notes that the incident has been reported to the Department of Health and Human Services, the breach has not yet been posted on the HHS Office for Civil Rights HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
Once regulators confirm the details and add the incident to the website, it could be the largest health data breach reported so far in 2019.
Misconfigured databases, servers and other IT are a fairly common culprit in health data security incidents.
Some breaches involving misconfigurations have also resulted in hefty HIPAA settlements with OCR. For example, earlier this month, OCR slapped Cottage Health, which runs several California-based hospitals, with a $3 million settlement for two breaches involving misconfigured IT that impacted a total of 62,500 individuals.
One of those Cottage Health breaches, which impacted more than 5,000 individuals, occurred when a server was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured electronic PHI on the internet.
Among OCR's findings during its investigation into the Cottage Health breaches, the agency says the entity failed to perform periodic technical and nontechnical evaluations in response to environmental or operational changes affecting the security of ePHI.
Besides the enforcement action by OCR, Cottage Health in 2017 reached a $2 million settlement with the California attorney general's office for the same two breaches Health Data Breaches Lead to $2 Million California Penalty).
In another incident reported last October, a coding error in a portal of the Employee Retirement System of Texas, which administers retirement benefits, including health insurance, for state workers, inadvertently allowed some users to view the information of others, potentially exposing information on nearly 1.25 million of its members.
Misconfiguration incidents often occur because a change or an upgrade is only tested for user functionality, and security is not tested, notes Tom Walsh, president of tw-Security.
"Information security needs to be integrated into all phases of the change control and configuration management, including request, review, approval and implementation. This is to ensure that changes to the application or system do not introduce any additional vulnerabilities," he says.
"Regardless who is handling the change - vendor, internal IT staff, web master/developer, etc. - information security and privacy need to be involved."
No Simple Answer
Unfortunately, there is no simple way to completely prevent misconfiguration mishaps, such as the one at UW Medicine, says Mark Johnson of the consultancy LBMC Information Security.
"It highlights that the basics of configuration management, involving cybersecurity in that process, vetting and reviewing each change, and validating that the change was done correctly might have prevented this instance," he says.
"However, no technology or process will 100 percent prevent human error. These steps will reduce the likelihood of it - but not eliminate it. "
Some industry researchers predict that 80 percent of cloud data breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, rather than cloud provider vulnerabilities, by 2020, Johnson says.
"Therefore, I believe it [misconfiguration] will become more common still due the complexity of the healthcare technical environment and the push to give patients greater access and accounting of their protected health information," he says.