Data breach at Richmond-based UNOS exposed 1.2 million patient records

RICHMOND, Va. -- A data breach at Richmond-based UNOS, the organ sharing network, has exposed up to 1.2 million patient records.

In a statement, UNOS said the breach occurred during two software tests and that patients' dates of birth, social security numbers, and procedures were exposed but only to authorized users.

UNOS has faced withering criticism in recent years for inefficiencies, including having outdated technology.

This summer President Joe Biden signed a new law taking away the network's exclusive contract which effectively had given it a monopoly overseeing transplants in the US.

The data breach comes as those critics say the administration has not moved fast enough since the passage of the law to expedite the transition to competitive bidding on contracts and to remove the current UNOS board.

Late Tuesday, the office of Sen. Chuck Grassley (R, Iowa) sent CBS6 a statement that said, "UNOS’s recent data breach is yet another example of what Sen. Grassley’s ongoing oversight has shown – UNOS can’t be trusted to run our nation’s organ donation system. HRSA [Health Resources and Services Administration] should take note of this major tech failure and commit to implementing a transparent and competitive IT contracting process to better serve patients and save lives. Sen. Grassley’s office will be following up with UNOS to learn what led to this latest failure and what UNOS is doing to ensure patients’ records are secured."

The UNOS statement said names and addresses were not impacted by the breach, which it said does not impact their ongoing work of matching donors and recipients through agencies across the country.

UNOS statement on testing environment situation
December 14, 2023, Richmond, VA

UNOS is currently investigating a configuration error that may have permitted access by authorized users to some patients’ personal and health information stored within two UNOS IT environments. The exposure was limited to two environments used for developing, staging and testing new tools, and did not affect the match or allocation of organs to patients.

Both environments were only accessible to authorized users in the organ transplant community. We have no indication that any users have violated our privacy policies regarding the sharing of confidential data, and we have no reason to believe that any patient data was misused. This was not a compromise of system security by any unauthorized third party.

Upon discovery of the configuration error, we immediately initiated a comprehensive response in accordance with our established IT procedures. This included taking the testing environments offline. We also have engaged third-party data forensics and security experts to assist us in fully understanding the scope of the incident.

Although our investigation is still underway, we have determined that the unredacted information that was visible in two testing environments included some private data such as social security numbers, dates of birth and medical procedure information. However, the data did not contain other key identifiers, such as names and addresses.

We notified the Health Resources and Services Administration (HRSA) of the event on November 10, the same day UNOS discovered the configuration error. On December 14, we provided HRSA with a preliminary update on the number of potentially impacted patient records. The maximum potential number of impacted records is approximately 1.2 million. In order to determine whether there was an actual impact to any of these individuals, we must conduct additional analysis. We are working to complete the impact analysis as quickly as possible.

We are treating this matter with the highest priority and will provide an update when more information is available.

Depend on CBS 6 News and WTVR.com for in-depth coverage of this important local story. Anyone with more information can email newstips@wtvr.com to send a tip.