June 18, 2021

Notice of privacy incident

UW Health takes the privacy and security of our patients’ information very seriously. Regrettably, this notice concerns a cybersecurity incident that may have involved some of that information.

UW Health recently became aware of unusual activity related to certain patients’ MyChart patient portals. We quickly launched an investigation into the nature and scope of the activity and took additional steps to contain the incident. Between April 20 and May 4, 2021, the investigation identified unauthorized access to a limited number of MyChart accounts by an unknown person, who may have viewed information contained in those accounts. The dates of unauthorized access ranged from December 27, 2020 to April 13, 2021.

We determined that, for some patients, the unauthorized person visited the MyChart patient portal homepage, which may have displayed clinical information such as upcoming appointment reminders, hospital admissions, care team, the subject line of messages from a provider, and/or prompts to view new test results. In certain instances, pages containing appointments and admissions, health insurance and/or claims information, additional health history (such as treatment information, test results, diagnoses, or medications), or demographic information (such as name, address, email address or phone number) may have also been visited.

It is important to note that Social Security numbers and payment information are not stored in MyChart and were not involved. In addition, this incident is limited in scope and involves a small percentage of UW Health patients.

Beginning June 18, 2021, we are mailing notification letters to affected patients. We also have established a dedicated call center regarding this specific matter that affected individuals can contact for more information, available at (855) 731-3112, Monday through Friday, between 8 a.m. and 5:30 p.m. Central Time. UW Health recommends patients review their personal contact information in their MyChart accounts, including their address, email address and phone number, to confirm the information is accurate.

UW Health deeply regrets that this incident occurred and for any concern it may cause. We take this issue very seriously and are committed to taking steps to help ensure something like this does not happen again. We are continuing to enhance its security processes and protocols including by strengthening password security, such as forcing password resets, requiring two-step validation (also known as multi-factor authentication) for access to MyChart, and deactivating accounts that have been inactive for 15 months. We will also be enhancing its monitoring capabilities.