Cyber Incident Victim: UW Medicine

In June 2022, Seattle-based UW Medicine experienced a data breach impacting 3,800 patients through a ransomware attack targeting its third-party mail service vendor, Kaye-Smith. The vendor discovered unauthorized access to its systems in June, though UW Medicine was not notified until August 24, 2022. The compromised files contained Patient Account & Support Services statements and billing-related correspondence generated by UW Medicine. Exposed information included patient names, addresses, account numbers, medical record numbers, treatment provider names, and descriptions of medical services. Notably, Social Security numbers, dates of birth, and financial payment details such as credit card information remained secure and were not accessed during the incident. The breach originated solely within Kaye-Smith’s infrastructure, which handled statement mailing services for UW Medicine’s billing operations.

UW Medicine issued breach notifications to affected patients following confirmation of the incident’s scope from Kaye-Smith. The vendor assumed responsibility for directly notifying all individuals whose data was compromised. The breach also impacted other healthcare organizations utilizing Kaye-Smith’s services, including Danville, Pennsylvania-based Geisinger and Seattle Children’s hospital. No disruptions to UW Medicine’s internal clinical operations or direct patient care systems were reported, as the incident was confined to the vendor’s environment. The hospital emphasized that its own systems remained uncompromised throughout the event. Kaye-Smith undertook remediation efforts, though specific containment measures or forensic findings were not disclosed in UW Medicine’s public statements.