The private health information of more than 4,000 patients was exposed for 16 years by a US transplant medical center.
Virginia Commonwealth University Health System (VCU) announced that sensitive data pertaining to both transplant donors and recipients have been available for others to view on a patient portal since 2006.
This information "could have been visible" to transplant recipients, donors have, and/or their representatives when they logged into the recipient's and/or donor's patient portal, VCU said.
The data leak was discovered on February 7, 2022, and more information about the types of data involved was found on March 29 and May 27.
VCU has not yet released any details about how the privacy incident occurred, but said there was no evidence the information was misused.
Rana said: “From the limited information on this, it appears to be a typical case of a design issue or misconfiguration, where a patient (donor or recipient) can access someone else's data without actively exploiting any weaknesses in the system.
“The patient portal is a critical part of any healthcare system, so it's surprising to see this flaw go undetected for so long. The good thing is that it seems that any patient has to have a valid account (donor or recipient) to be part of this incident that contains the incident in some sense.
They added: “These days many healthcare systems are designed in a way that sensitive information such as SSN, DOB or other PII/PHI is not shared at all or at least masked on screen by default, also viewing it requires an additional step. Authentication."
“The number of donors that the recipients could have seen depended on the number of potential donors that were screened."
"We are insured for this possibility and have worked with the cybersecurity experts available through our insurance coverage to resolve the issue."