On April 16, 2022, UW Medicine suffered a data breach caused by the theft of an unencrypted laptop. The incident exposed sensitive personal and medical information of 739 Washington residents, including names, dates of birth, gender, treating physician’s name, procedure names, and procedure findings. The breach stemmed from a physical security failure—an unencrypted device containing protected health information (PHI) was stolen, allowing unauthorized access to confidential patient records. While the stolen data did not include financial details (e.g., credit card numbers or Social Security numbers), the exposure of medical histories and personally identifiable information (PII) poses risks such as identity theft, targeted phishing, or reputational harm to affected individuals. UW Medicine, as a healthcare provider, is subject to HIPAA regulations, and the breach may trigger compliance investigations, potential fines, and mandatory notifications to impacted patients. The incident underscores vulnerabilities in device encryption policies and physical security controls, particularly in handling portable storage containing sensitive data. No evidence suggests the data was misused, but the breach erodes trust in the organization’s ability to safeguard patient privacy, potentially leading to legal repercussions or patient attrition.
TPRM report: https://www.rankiteo.com/company/uw-medicine
"id": "uw-951091725",
"linkid": "uw-medicine",
"type": "Breach",
"date": "4/2022",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '739',
'industry': 'Healthcare',
'location': 'Washington, USA',
'name': 'UW Medicine',
'type': 'Healthcare Provider'}],
'attack_vector': 'Theft of Unencrypted Device',
'data_breach': {'data_encryption': 'No',
'data_exfiltration': 'Yes (via physical theft)',
'number_of_records_exposed': '739',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII + Medical Data)',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Medical Information']},
'date_detected': '2022-04-16',
'description': 'The Washington State Office of the Attorney General reported '
'that UW Medicine experienced a data breach due to the theft '
'of an unencrypted laptop on April 16, 2022. The breach '
'affected 739 Washington residents, with the specific types of '
'compromised information including names, dates of birth, '
"gender, treating physician's name, procedure name, and "
'procedure findings.',
'impact': {'data_compromised': ['Names',
'Dates of Birth',
'Gender',
"Treating Physician's Name",
'Procedure Name',
'Procedure Findings'],
'identity_theft_risk': 'Moderate (PII exposed)',
'systems_affected': ['Unencrypted Laptop']},
'post_incident_analysis': {'root_causes': ['Failure to encrypt sensitive data '
'on a portable device',
'Inadequate physical security '
'controls leading to theft']},
'recommendations': ['Implement full-disk encryption for all portable devices '
'containing sensitive data.',
'Enhance physical security measures for devices storing '
'PII/medical data.',
'Conduct regular audits of device encryption compliance.'],
'references': [{'source': 'Washington State Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'Washington State '
'Office of the Attorney '
'General'},
'title': 'UW Medicine Data Breach Due to Theft of Unencrypted Laptop',
'type': 'Data Breach (Physical Theft)',
'vulnerability_exploited': 'Lack of Device Encryption'}