UW Medicine announced last week that up to 90,000 patients may have had personal data stolen. It stressed that health data was not involved. "Based on the results of an internal investigation, it is believed that patient information was not sought or targeted. However, the malware accessed the data files of roughly 90,000 Harborview Medical Center and University of Washington Medical Center patients."
Nevertheless, what was stolen is rich pickings for identity thieves: "name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, date of birth."
The attack occurred in early October (2 October according to the Seattle Times) when an employee opened an email with a malicious attachment. "The malware took control of the computer, which had patient data stored on it. UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity."
UW Medicine has referred the matter to the FBI (although it doesn't say when it did so). It began mailing the affected patients last week, and notes that "patients may be contacted by the FBI as part of its investigation." On the basis of this announcement, it has taken around eight weeks from learning of the breach to notifying patients – and it made the notification one the eve of Thanksgiving, one of America's most important holidays.
King 5 News reports on the reaction of one patient to the UW mailing. "'The delay in letting us know is appalling, if it happened October 2nd why are we just being notified the day after Thanksgiving", Patricia Shiras said." The letter indicates that social security numbers and financial information were not compromised. The website, however, specifically includes SSNs. “I think my social security number and financial information are compromised and they're trying to cover it up” said Shiras.
Komo News also quotes an unhappy patient. Susan Phillips, whose last contact with the hospital was in 2008, received one of the letters. "I opened it up and I read this and I just got furious," she said. "I don't have a word for it right now... Waiting until the day before Thanksgiving to do a bulk mailing?"
According to the Seattle Times, UW Medicine spokeswoman Tina Mankowski said it had taken more than a month "to analyze the activity and figure out which patients are most at risk of identity theft." She also said that it is "UW policy that if more than 500 accounts are compromised in an identity-theft attempt, the UW reports the incident to the media."