Cyber Security

More than 4,000 individuals’ medical data left exposed for 16 years

The private health information of more than 4,000 patients was left exposed for 16 years by a US medical transplant center.

Virginia Commonwealth University Health System (VCU) announced that sensitive data belonging to both transplant donors and recipients was available to view by others on a patient portal since 2006.

The healthcare provider said that 4,441 people were affected in the breach, which concerned data, including names, Social Security numbers, lab results, medical record numbers, and/or dates of birth.

This information “may have been viewable” to transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal, VCU said.

Discovery

The data leak was discovered on February 7, 2022, and more information about the types of data involved was found on March 29 and May 27.

VCU has not yet released any details about how the privacy incident occurred, but said that there was no evidence that any information has been misused.

Speaking to The Daily Swig, Ashutosh Rana, senior security consultant at the Synopsys Software Integrity Group, speculated over what may have happened, determining that it was likely a “typical case” of misconfiguration.

Rana said: “From the limited information out on this, it seems to be a typical case of design issue or misconfiguration, where a patient (donor or recipient) can access someone else’s data without actively exploiting any weakness in the system.

“Any user just needed to login to see someone else’s information because it [is] meant to be that way by the design of the system.

“Patient portal is a critical part of any healthcare system, so it is surprising to see this flaw was undetected for that long. The good part is that it seems any patient has to have a valid account (donor or recipient) to be part of this incident which contains the incident in some sense.”

They added: “These days many health care systems are designed in way where sensitive information like SSN, DOB or other PII/PHI is either not shared at all or at least masked on the screen by default, also viewing them needs an additional step-up authentication.”

A spokesperson for VCU told The Daily Swig: “Potentially viewable by organ donors and recipients were data such as lab results, medical record numbers, dates of surveys and birthdays. Donors could only view one recipient’s information, if any.

“The number of donors the recipients may have viewed depended on the number of potential donors who were tested.

“We are insured for this possibility and have worked with the cybersecurity experts available to us through our insurance coverage to resolve the issue.”

Source: https://portswigger.net/daily-swig/more-than-4-000-individuals-medical-data-left-exposed-for-16-years

Advertisement. Scroll to continue reading.
Click to comment

You May Also Like

Cyber Security

The cyberattack that ultimately led to the breach of several U.S. officials’ email accounts was the result of a China-based threat actor accessing a...

Cyber Security

North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe...

Cyber Security

The well-known watch manufacturing company Seiko disclosed the data breach notification recently on Aug 2023, targeted by the notorious threat group BlackCat/ALPHV. BlackCat/ALPHV Group has been...

Cyber Security

Privileged users typically hold crucial positions within organizations. They usually have elevated access, authority, and permission levels in the organization’s IT systems, networks, applications,...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version