Governance & Risk Management , HIPAA/HITECH , Legislation & Litigation

Lawsuit Claims HIV Data Exposed in Leak

Legal Action Stems From Misconfigured Database at UW Medicine
Lawsuit Claims HIV Data Exposed in Leak

A lawsuit seeking class action status filed against UW Medicine in the wake of a data leak incident has been amended to reflect that at least one HIV patient allegedly had their data exposed.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

The lawsuit alleges UW Medicine, a Seattle-based academic medical system that includes several hospitals and a large physician practice, failed to properly protect PHI when it misconfigured a database, leaving nearly 974,000 patients’ information exposed to the internet for several weeks.

The plaintiffs are seeking “orders requiring UW Medicine to fully and accurately disclose the precise nature of data that has been compromised and to adopt reasonably sufficient security practices and safeguards to prevent similar incidents in the future.”

Local news broadcaster KIRO 7 recently reported at least one UW Medicine patient had their HIV-related information exposed as a result of the misconfiguration. The lawsuit was updated to reflect the alleged exposure of HIV-related data.

”Through discovery and public record requests, the plaintiffs have confirmed that the exposed information included information reflecting a patient’s HIV test-taking history and even status, along with medical record numbers, names, and other sensitive patient-accounting information,” the amended complaint alleges.

In a statement provided to Information Security Media Group, attorney John Bender of Corr Cronin LLP, the law firm representing plaintiffs in the case, says: “Patients expect their healthcare provider to keep their information safe. Based on our investigation, that didn’t happen here. Our clients want to make sure that something like this never happens again.”

UW Medicine did not immediately respond to ISMG’s request for comment on the lawsuit.

Data Leak Discovery

In a statement issued last year, UW Medicine said it became aware of the data exposure on Dec. 26, 2018, “when a patient was conducting a Google search for their own name and found a file containing their information. The patient reported this to UW Medicine.

UW Medicine said in the statement that “a vulnerability on a website server … made protected internal files available and visible by search on the internet on Dec. 4, 2018.”

The recently amended lawsuit, originally filed in October 2019, alleges that UW Medicine failed to properly secure and safeguard the PHI of approximately 974,000 patients, “including without limitation, patient names, medical record numbers and other healthcare data.” It also alleges that the organization failed “to provide timely, accurate and adequate notice to plaintiffs and the class that the confidentiality of their information had been breached.”

A Growing Problem?

The lawsuit says that data exposure tied to misconfigured IT is a growing problem.

”Third parties harvest personal information through intrusive hacking attempts or simply by using Google or software downloadable online to scour the internet for unsecured and/or misconfigured databases,” the lawsuit says. “Misconfigured and/or unsecured databases, like the one at issue here, plague the healthcare sector at alarming rates.”

Some of the largest health data breaches reported to federal regulators last year involved misconfigured IT. That includes a data leak reported by Puerto Rico-based clearinghouse and cloud services provider Inmediata Health Group last April that affected about 1.6 million individuals.


"Another common example is when a researcher receives approval to access medical records to determine whether a patient may be eligible for a research study or to recruit participants. The researcher must document in the database when they access the medical record," the statement adds.

UW Medicine noted in its statement that because Google had saved some of the files before Dec. 26, 2018, the institution worked with Google to remove the saved versions and prevent them from showing up in search results. All saved files were removed from Google's servers by Jan. 10, 2019, UW Medicine said.

The amended lawsuit contends that individuals’ data was left exposed on the internet for more than one month and that UW Medicine was not forthcoming about the sensitive data, such as HIV test information, that was exposed.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.