Organ transplant nonprofit UNOS exposes 1.2M/1.5M records via test systems
Take action: While we commend the data breach report in a situation where a lot of companies will shrug off the issue and never report it, there is one key question: Why did UNOS hold live data on test systems? Even more, millions of records of live data? Because test systems are living experiments, storing massive sets of production data on them a recipe for a more serious future incident.
Learn More
A recent data security incident at the United Network for Organ Sharing (UNOS) - a Richmond-based nonprofit responsible for organ transplantation oversight in the United States has led to the potential exposure of up to 1.2 million patient records.
UNOS plays a pivotal role in managing the Organ Procurement and Transplantation Network, which encompasses 56 organ procurement organizations and 248 transplant hospitals across the United States, handling organ transplants such as kidneys and livers.
UNOS is reporting and currently investigating a configuration error on two systems that resulted in the unintended ability to access sensitive information by users on the systems without a need-to-know such information.
The exposed data includes Social Security numbers, birth dates, and details of medical procedures. However, specifics on the number of individuals affected and the extent of data exposure have not been disclosed by UNOS representatives.
Update - as of 22nd January 2024, UNOS has updated their incident report to indicate that the number of exposed records is 1.5 million
This was not a security breach perpetrated by any unauthorized external parties. The incident was confined to two developmental environments intended for creating, testing, and preparing new tools, and had no impact on the processes involved in matching or allocating organs for transplant patients.
Access to these environments was strictly limited to individuals authorized within the organ transplant community. At present, there is no evidence to suggest any breach of our privacy policies related to the dissemination of confidential data, nor do we have any indication that the exposed patient data was inappropriately used.
UNOS has stated there's no indication that any patient data was misused and confirmed that their system was not infiltrated by an unauthorized external party. After discovering the error on November 14, UNOS removed the exposed information from online access and engaged a security expert to evaluate the extent of the incident.
