Washington State University breach compromises data of 1 million
The health and wellness services division of Washington State University in Seattle has experienced a major breach of protected health information, but the extent of the incident is not yet clear.
Local media, including KUOW a National Public Radio station, have reported the breach affects 1 million individuals, but the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules, has not publicly confirmed that number.
On April 21, the university discovered that a hard drive was stolen from a locked safe. The hard drive held back-up files from a server used by the Social and Economic Sciences Research Center, which included a health survey that collected PHI.
Breached information from the health and wellness services division covered data of patients of medical and dental clinics, vision clinics, behavioral health organizations and local pharmacies.
Compromised data included names, Social Security numbers and undisclosed personal health information. Entities providing the information included school districts and community colleges, along with other undisclosed customers.
Washington State University is offering affected individuals one year of credit monitoring and identity theft protection services. Notification letters were mailed on June 9, and the university is asking individuals who believe they may have been affected and have not received a letter by June 30 to call a dedicated hot line.
“As president of Washington State University, I deeply regret that this incident occurred and am truly sorry for any concern it may cause our community,” Kirk H. Schulz said in the notification letters. He pledged to strengthen information technology operations via a comprehensive assessment of IT practices and policies, as well as improving security awareness training of employees.
The university declined to provide additional information on the incident.