UW Privacy Office

Report an Incident

Report any incident or potential data breach immediately

Immediately report unforeseen events, incidents, and potential or confirmed data breaches (“incidents”) involving personal data or individually identifiable information to the offices on this webpage.

To report an incident involving:

Personal data other than Protected Health Information or Human Subjects data

Complete the UW Privacy Office’s Incident Report Form or contact UW Privacy Office at uwprivacy@uw.edu or 206-616-1238 ASAP and provide as much of the below information that is known at the time of the report:

  • Your first and last name
  • Your email address and phone number
  • Short descriptive title of incident (e.g. Lost laptop in Dept. X)
  • Brief description of what happened
  • Date the incident occurred
  • Date you became aware of the incident
  • UW organization where the incident occurred or was observed, if known
  • Types of data involved in the incident (e.g. Social Security Number (SSN) or last four digits of SSN; driver’s license or state identification number; financial account numbers; full dates of birth; private key used to authenticate or sign an electronic record; health insurance policy number or health identification number; student, military, or passport identification number; medical history; mental or physical condition, or health professional’s medical diagnosis or treatment; biometric data; username or email address in combination with a password or security question or answers)
  • Physical location of individuals when personal information was originally collected (e.g. Washington state, other states, or other countries)
  • If the data are encrypted, redacted, or made unusable
  • What information systems, if any, are involved
  • Name(s) of individual(s) at the UW who know or have been informed about the event/incident
  • Root cause of the incident, if known

Human Subject Information and Reportable New Information for Research

Review the Human Subjects Division Guide to Reporting New Information.

Protected Health Information at Non-UW Medicine Healthcare Components

Contact Compliance and Risk Services at crs-privacy@uw.edu or 206-221-4442.

This includes:

  • Autism Center at Center on Human Development and Disability (CHDD)
  • Psychology Clinics in the College of Arts & Sciences
  • Rubenstein Pharmacy in the School of Pharmacy (also known as Hall Health Pharmacy)
  • School of Dentistry Clinics and Faculty Practice Plan (also known as UW Dentists)

See UW Health Insurance Portability and Accountability Act (HIPAA) Designation [pdf] for a description of the Non-UW Medicine and UW Medicine Healthcare Components.

Protected Health Information at UW Medicine

Contact UW Medicine Compliance at comply@uw.edu or 206-543-3098 (local) or 855-211-6193 (toll free).

This includes:

  • UW Medicine Center and Clinics
  • Hall Health Center
  • Airlift Northwest
  • Department of Pediatrics Molecular Development Lab
  • Harborview Medical Center and Clinics
  • King County Public Hospital District No. 1 d/b/a Valley Medical Center and Clinics
  • UW Physicians Network d/b/a UW Neighborhood Clinics
  • The Association of University Physicians d/b/a UW Physicians
  • Summit Cardiology

See UW Health Insurance Portability and Accountability Act (HIPAA) Designation [pdf] for a description of the Non-UW Medicine and UW Medicine Healthcare Components.

Information security and/or Export Controls (other than Covered Defense Information)

Contact the Office of the Chief Information Security Officer (CISO) at ciso@uw.edu or 206-685-0116.

National Security Classified Information and/or Covered Defense Information

Contact the University Facility Security Officer at uwfso@uw.edu or 206-543-1315.

Unsure where to report an incident?

Complete the UW Privacy Incident Report Form, or contact the UW Privacy Office at uwprivacy@uw.edu or 206-616-1238, and we will triage the report to the correct organization.

Incident Report Form

Incident Do’s and Don’ts


  • Report incidents involving personal data or individually identifiable information as soon as possible
  • Isolate the affected system to prevent further intrusion, release of data, etc.
  • Limit sharing of information to individuals who have responsibility for managing and addressing the incident
  • Be clear about the facts versus assumptions or speculations
  • Document only information that has been substantiated
  • Mark documents as “draft” until finalized
  • Preserve all pertinent systems logs and information


  • Delete, move, or alter files on the affected system
  • Send any notifications before consulting with the appropriate office listed above
  • Communicate that there is a potential or confirmed breach to individuals who are not:
    • Contributing facts or are decision makers
    • Involved in the incident management process
    • Impacted by the breach
  • Contact or retaliate against the individual who may have caused the event/incident
  • Conduct your own forensic analysis

What happens after you report an incident to the UW Privacy Office?

The UW Privacy Office:

  • Manages the UW’s response to the incident;
  • Coordinates the activities, as needed, with the UW Division of the Attorney General’s Office, UW Office of the CISO, and other applicable offices at the UW;
  • Assesses the potential harm to individuals, compliance with applicable laws and regulations, and risks to the UW;
  • Determines if communication or notification to individuals is required or desired;
  • Reports the incident, if/as needed, to external regulators; and
  • Manages the communication plan(s), including communication to the President, the Provost, Board of Regents and University Marketing and Communications.

Please review the Breach Notification webpage for additional information.