After opening a malicious attachment in a phishing email, an employee at University of Washington Medicine in Seattle may have exposed the personal information of more than 90,000 Harborview Medical Center and University of Washington Medical Center patients.

The breach took place in October. According to a press release on the UW Medicine website, upon opening the malware-laden attachment, the unnamed piece of malicious software then “took control of the computer.” The infected computer contained patient data and the malware went unnoticed for one day before staff members “took measures to prevent any further malicious activity.”

UW Medicine says that it conducted an internal investigation and does not believe that patient data was sought or targeted in the attack. Despite this belief, the malware is said to have accessed the personal information of more than 90,000 current and former patients. The potentially exposed data include names, medical record numbers, “other demographics (which may include address, phone number),” dates of service, charge amounts for services received, dates of birth, and Social Security Numbers or Health Insurance Claim (Medicare) numbers.

The press release also announces that UW Medicine has implemented a review and is conducting employee training and other outreach efforts in response to the incident.

UW Medicine apologized for the breach, saying it will attempt to contact each individual affected via email. As is the industry standard, the company has also hired a firm specializing in data breach prevention and response to manage a call center on behalf of UW Medicine.

Threatpost attempted to contact UW Medicine for comment and clarification, but the company’s spokesperson was not available at the time of publication.

UW Medicine image via I-5 Design & Manufacture Flickr photostream, Creative Commons

Categories: Data Breaches