The Virginia Commonwealth University Health System (VCU) has warned almost 4500 transplant participants about a privacy breach affecting the healthcare information.
The company warned that some transplant recipients’ medical records included information about their donor too. Some recipient information also appeared on donors’ records too. In some cases, this information has been exposed since 2006.
The information visible included Social Security numbers, names, and medical record numbers, amongst other things. In total, 4441 people were affected.
VCU warned that “this information may have been viewable to transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal.”
The discovery was made by VCU on 7th February this year. More information was discovered in April. The statement added that the information had been accessible to donors and recipients as far back as 2006.
The organisation has contacted affected individuals where possible and has offered free credit reports to anyone whose social security numbers were stolen.
Chad McDonald, CISO at Radiant Logic explained: “Proper data classification and controls should have identified that this information was sensitive, and that users should not have access to other peoples’ medical records.”