Patients question UW Medicine's handling of computer hack

SEATTLE -- Ninety thousand UW Medicine patients are being notified via letter of a data security breach that potentially involves their personal information.

But some patients, such as Karen Hauger, are questioning why they're not being offered "credit monitoring" like other victims.

Susan Phillips got a similar letter last week, but her notice included an offer to pay for a year of fraud-protection services, which she gladly accepted.

Both letters explain how UW Medicine became aware in October of a intrusion into their computer systems. Officials believe a UW employee opened up an attachment loaded with malware on their computer.

The malware then started pilfering personal information on a database used by UW Medicine and sent the information outside of the network.

"When I opened this up I just got furious," Phillips said.

Two letters were sent to potential victims. Fifteen thousand patients got a letter like the one Phillips received, saying UW medicine would pay for a year's worth of credit monitoring because their social security numbers "may" have been compromised.

The remaining 75,000 got a letter like Karen Hauger's, which said their Social Security number and financial information was not part of the breach, but other information like name, medical record number, dates of service and charge amounts for services received may have been compromised.

"They don't even know for sure," Hauger said.

If there is uncertainty, Hauger wonders why UW Medicine hasn't offered to pay for fraud services for everyone affected.

"It would have been nice to have been covered in some way," she said. "Someone else can take that information and go further and find out other information about me."

A spokeswoman for UW said she was unable to respond to our questions about the two letters and the delay in notifying patients about the breach.

Surprisingly, internet privacy attorney Susan Lu Lyon says institutions, businesses, public agencies and individuals don't have to offer any compensation for a security breach. The laws in most states only require the notification of a security breach to the victim.

"There is no obligation or requirement in any of the states to offer credit monitoring services to any individuals but many companies do," Lyon said.

She said if a victim can prove a hacker stole their identity and caused financial harm, then the victim could pursue compensation for the financial harm that was done.