University of Washington Medicine hit with $750,000 fine for phishing breach

Data BreachFederal regulators have hit the University of Washington Medicine (UWM) with a $750,000 fine and a corrective action plan two years after a phishing-related HIPAA breach hit the university and compromised 90,000 individuals’ records.

This ‘resolution agreement’ is the first of its kind to stem from the investigation of a phishing incident and calls for UWM to develop a current, comprehensive, and thorough risk analysis of its security risks and vulnerabilities.

Potential breach

UWM was breached back in 2013 after a “forged email containing malware in an attachment” managed to expose thousands of records. The incident occurred when “an employee opened an email link to review a document. The malware provided potential access to contact and other information needed for billing patients that was stored in files on the employee’s desktop computer,” UWM says. “When the potential breach was discovered, UWM notified the FBI and the OCR.”

“An effective risk analysis is one that is comprehensive in scope…”

OCR Director Jocelyn Samuels said in a statement about the UWM settlement: “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise. An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.”

This is the sixth HIPAA resolution agreement that has been announced this year, amounting to $6 million in fines issued.

According to HIPAA, health care organizations are expected to hold their subsidiaries and affiliates accountable for implementing and exercising privacy and information security safeguards to ensure the confidentiality of protected health information.


UWM’s breach could have been prevented with appropriate staff training and regular security reminders, which too few covered entities provide for their workers. It’s important for all staff who access corporate computers/laptops/cell phones to be reminded about security on an ongoing basis.

Make staff aware of phishing attacks

We recommend that organizations take action against the increasing threat of targeted phishing attacks by educating their employees to be alert, vigilant, and secure with the Phishing Staff Awareness Course.

This short, online course will help you and your team understand how phishing attacks work, the tactics cyber criminals employ, and how to spot and avoid phishing campaigns – perfect for all members of staff.