UW Privacy Office

Report an Incident

Report any incident or potential data breach immediately

Immediately report unforeseen events, incidents, and potential or confirmed data breaches (“incidents”) involving personal data or individually identifiable information to the offices on this webpage.

To report an incident involving:

Personal data other than Protected Health Information or Human Subjects data

Complete the UW Privacy Office’s Incident Report Form  or contact UW Privacy Office at uwprivacy@uw.edu or 206-616-1238 ASAP and provide as much of the below information that is known at the time of the report:

  • Your first and last name
  • Your email address and phone number
  • Short descriptive title of incident (e.g. Lost laptop in Dept. X)
  • Brief description of what happened
  • Date the incident occurred
  • Date you became aware of the incident
  • UW organization where the incident occurred or was observed, if known
  • Types of data involved in the incident (e.g. Social Security number, driver’s license or state identification number, financial account numbers, full dates of birth, privacy key used to authenticate or sign an electronic record, health insurance policy number or health identification number, student/military/passport identification number, medical history, mental or physical conditions, or health professional’s medical diagnosis or treatment, biometric data, username or email address in combination with a password or security question or answers)
  • Physical location of individuals when personal information was originally collected  (e.g. Washington state, other states, or other countries)
  • If the data are encrypted, redacted, or made unusable
  • What information systems, if any, are involved
  • Name of individuals at the UW who know or have been informed about the event/incident
  • Root cause of the incident, if known

Human Subject Information and Reportable New Information for Research

See Human Subjects Division Guide to Reporting New Information.

Protected Health Information at Health Sciences Healthcare Components

Contact Health Sciences Administration at 206-543-0702.

Protected Health Information at UW Medicine

Contact UW Medicine Compliance at comply@uw.edu or 206-543-3098 (local) or 855-211-6193 (toll free).

Information security and/or Export Controls (other than Covered Defense Information)

Contact the Office of the Chief Information Security Officer (CISO) at ciso@uw.edu or 206-685-0116.

National Security Classified Information and/or Covered Defense Information

Contact the University Facility Security Officer at uwfso@uw.edu or 206-543-1315.

Unsure where to report an incident?

Complete the UW Privacy Incident Report Form, or contact the UW Privacy Office at uwprivacy@uw.edu or 206-616-1238, and we will triage the report to the correct organization.


Incident Do’s and Don’ts

 Do 

  • Report incidents involving personal data or individually identifiable information as soon as possible
  • Isolate the affected system to prevent further intrusion, release of data, etc.
  • Limit sharing of information to individuals who have responsibility for managing and addressing the incident
  • Be clear about the facts versus assumptions or speculations
  • Document only information that has been substantiated
  • Mark documents as “draft” until finalized
  • Preserve all pertinent systems logs and information

Don’t

  • Delete, move, or alter files on the affected system
  • Send any notifications before consulting with the appropriate office listed above
  • Communicate that there is a potential or confirmed breach to individuals who are not:
    • Contributing facts or are decision makers
    • Involved in the incident management process
    • Impacted by the breach
  • Contact or retaliate against the individual who may have caused the event/incident
  • Conduct your own forensic analysis

What happens after you report an incident to the UW Privacy Office?

The UW Privacy Office:

  • Manages the UW’s response to the incident;
  • Coordinates the activities, as needed, with the UW Division of the Attorney General’s Office, UW Office of the CISO, and other applicable offices at the UW;
  • Assesses the potential harm to individuals, compliance with applicable laws and regulations, and risks to the UW;
  • Determines if communication or notification to individuals is required or desired;
  • Reports the incident, if/as needed, to external regulators; and
  • Manages the communication plan(s), including communication to the President, the Provost, Board of Regents and University Marketing and Communications.

See Breach Notification webpage for additional information.