The Virginia Commonwealth University Health System (VCU) has warned almost 4500 transplant participants about a privacy breach affecting their healthcare information.
The company warned that some transplant recipients’ medical records contained their donor’s information, while recipient information also showed up in some donors’ records. It has been inappropriately exposing this information since 2006 in some cases.
Information available included names, Social Security numbers, lab results, medical record numbers, the dates of medical procedures and dates of birth. In total, 4441 people were affected, it stated.
“This information may have been viewable to transplant recipients, donors, and/or their representatives when they logged into the recipient’s and/or donor’s patient portal,” VCU warned, adding that it might also have been released in response to information requests.
VCU made the discovery on February 7 this year, discovering more about the information affected in April. The information had been accessible to recipients and donors as far back as January 2006, the statement added.
The organization has mailed affected individuals where possible and offered them free credit reports. Only those whose social security numbers were affected get free credit monitoring.
“Proper data classification and controls should have identified that this information was sensitive, and that users should not have access to other peoples’ medical records,” said Chad McDonald, CISO at Radiant Logic. “Organizations must define access levels to identity data based upon risk and justifiable need.”
This isn’t the first time that VCU has had to notify patients about mismanagement of their information. In 2014, the organization warned that it had failed to properly dispose of CDs containing patient health information. Instead of following its own disposal protocols, it had donated the CDs for children’s art projects.
This week, US debt collector Professional Finance Company (PFC) reported a data breach affecting 1.9 million individuals across over 650 different healthcare providers.