Just before the Thanksgiving holiday, UW Medicine reported a HIPAA security breach, affecting roughly 90,000 patients at Harborview and UW Medical Centers. In early October, a UW Medicine employee opened an e-mail attachment containing malicious software. The malware took control of the computer, which had patients’ data stored on it. The information that was exposed was a subset or extraction of data that was used for billing purposes. Patient information may have included names, medical record numbers, addresses, phone numbers, dates of service, charge amounts for services received, Social Security numbers or Medicare numbers.
This is the fourth biggest HIPAA security breach this year, according to data from the Department of Health and Human Services. The other major breaches involved stolen unencrypted computers and laptops (Advocate Health System and AHMC Healthcare) and improper disposal of medical records (Texas Health Harris Methodist Hospital).
The recent UW Medicine incident highlights the need for hospitals, providers, and business associates to monitor and update their virus protection software and firewalls. Additionally, organizations should implement security awareness and training programs for all workforce members– this may include periodic reminders addressing malicious software or guidance on opening suspicious e-mail attachments, e-mail from unfamiliar senders or hoax e-mail.