RICHMOND, Va. (WRIC) — The United Network for Organ Sharing (UNOS) — a Richmond-based nonprofit — is investigating a ‘configuration error‘ that may have given access to some patients’ personal and health information, including some patients’ social security numbers, dates of birth and medical procedure information.
According to a statement issued by the nonprofit on Thursday, Dec. 14, the exposure was “limited to two environments used for developing, staging and testing new tools, and did not affect the match or allocation of organs to patients.”
UNOS said private data included some social security numbers, dates of birth and medical procedure information, but did not include names and addresses. This may have impacted a maximum of about 1.2 million patients, according to UNOS, although it stated that more investigation was necessary to find the specific impact.
Both environments were allegedly only accessible to authorized users in the organ transplant community, and the nonprofit claimed to have not found that any users shared confidential data, or that any patient data was misused.
The nonprofit also stated that the configuration error was not the result of a data breach by a third party.
When UNOS discovered the configuration error, the nonprofit said it immediately responded by taking testing environments offline and by seeking help from third-party data forensics and security experts.
UNOS said it notified the Health Resources and Services Administration (HRSA) of the event on Nov. 10, the same day the nonprofit discovered the configuration error.
The nonprofit added that it is “working to complete the impact analysis as quickly as possible,” and that it is “treating this matter with the highest priority and will provide an update when more information is available.”
