GRC Viewpoint

16 Years Old Vulnerability Identified, Experts Surprised by Its Long-duration

The sensitive, confidential health information of about 4,000 patients was exposed for 16 years. The incident is associated with a US medical transplant center. 

The information that was subjected to vulnerability includes:

  • Social security numbers
  • Lab results
  • Dates of birth
  • Medical Records
  • Names

The Virginia Commonwealth University system confirmed the breach that started in 2006. The leaked information could be easily accessed by transplant recipients, donors, or their representatives.

READ MORE: Recent Microsoft Misconfiguration Made Unauthenticated Data Access Possible

The incident was found on 7th February 2022. Later, clarity into the breach was obtained somewhere towards the end of March 2022.

We require more clarity on the causes that led to such a persistent data security issue. Also, there has been no evidence of any misuse of the leaked information.

Potentially accessible by various people, including organ donors and recipients, were critical information, including lab results, medical record numbers, surveys, and their dates and birthdays. An exciting feature associated with the incident is that donors could only view one recipient’s data if any. “The number of donors the recipients may have viewed depended on the number of potential donors who were tested. We are insured for this possibility and have worked with the cybersecurity experts available to us through our insurance coverage to resolve the issue, says a VCU spokesperson.

READ MORE: Several Organizations across the U.S give Access Control Less Importance.

The expert opinion is that the incident is due to misconfiguration or design issues. It is because any user could easily exploit the system to access the information as the system is designed in such a way. 

Experts are also surprised that the susceptibility went unnoticed for an extended period.

Related Articles

Latest Articles