The private health information of more than 4,000 patients was left exposed for 16 years by a US medical transplant center.
Virginia Commonwealth University Health System (VCU) announced that sensitive data belonging to both transplant donors and recipients was available to view by others on a patient portal since 2006.
The healthcare provider said that 4,441 people were affected in the breach, which concerned data, including names, Social Security numbers, lab results, medical record numbers, and/or dates of birth.
This information “may have been viewable” to transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal, VCU said.
Discovery
The data leak was discovered on February 7, 2022, and more information about the types of data involved was found on March 29 and May 27.
VCU has not yet released any details about how the privacy incident occurred, but said that there was no evidence that any information has been misused.
Speaking to The Daily Swig, Ashutosh Rana, senior security consultant at the Synopsys Software Integrity Group, speculated over what may have happened, determining that it was likely a “typical case” of misconfiguration.
Rana said: “From the limited information out on this, it seems to be a typical case of design issue or misconfiguration, where a patient (donor or recipient) can access someone else’s data without actively exploiting any weakness in the system.
“Any user just needed to login to see someone else’s information because it [is] meant to be that way by the design of the system.
“Patient portal is a critical part of any healthcare system, so it is surprising to see this flaw was undetected for that long. The good part is that it seems any patient has to have a valid account (donor or recipient) to be part of this incident which contains the incident in some sense.”
They added: “These days many health care systems are designed in way where sensitive information like SSN, DOB or other PII/PHI is either not shared at all or at least masked on the screen by default, also viewing them needs an additional step-up authentication.”
A spokesperson for VCU told The Daily Swig: “Potentially viewable by organ donors and recipients were data such as lab results, medical record numbers, dates of surveys and birthdays. Donors could only view one recipient’s information, if any.
“The number of donors the recipients may have viewed depended on the number of potential donors who were tested.
“We are insured for this possibility and have worked with the cybersecurity experts available to us through our insurance coverage to resolve the issue.”