An incident at a major university resulted in the exposure of 4,441 transplant recipients and donors’ private information for 16 years, prompting us to consult experts about what happened and how you can protect yourself going forward. We spoke with experts to find out what went wrong and how you can stay secure.
Donor and recipient names, social security numbers, lab results, medical record numbers and dates of service may have been viewable online. Free credit monitoring services were made available to those affected.
What Was Involved?
VCU’s IT staff discovered a breach Oct. 24 during routine monitoring, and immediately took steps to have its affected server taken offline for further analysis. A review revealed that intruders only gained access to data stored on one server for 16 minutes but created accounts and could access information stored elsewhere on other servers as well.
The university maintains that this unauthorized activity had no impact on patient treatment or services and there is no indication anyone’s personal data was misused for illicit purposes; nevertheless, this should serve as an important wake-up call to any organization using the internet to transfer, store and protect sensitive data.
This data breach affected 4,441 transplant donors and recipients across an Arizona health system. Affected information included names, Social Security numbers, lab results, medical record numbers and dates of service – viewable to recipients/donors or their representatives when they logged into either patient portal.
Server access revealed financial account numbers of those treated at the facility; generally between Jan 3, 2003 and May 10, 2022 when an employee worked there; no malicious intent could be discerned during investigation.
VCU’s campus police and IT teams quickly responded to the incident and have reported no evidence of any unapproved server activities. A blanket email will be sent out to all potential victims while letters will also be mailed directly. In addition, VCU created a dedicated website about the event as well as providing links on its home page providing more details.
Blackbaud software had an inherent vulnerability that allowed for this breach. Blackbaud provides online data storage to hundreds of universities and nonprofits; universities use Blackbaud applications that link various university systems, like Banner with admissions, ID cards and health systems within schools; Blackbaud works closely with its clients to identify any breaches and notify them as soon as they occur.
Who Was Involved?
VCU is committed to the safety of its students, faculty, staff and visitors. You can help keep our campus secure by remaining vigilant, walking with friends when possible and taking advantage of RamSafe, our security escort service.
Research security is also of great importance at our university. To that end, researchers are working on cyber-physical systems – embedded computers and networks used to control physical processes like power plants, industrial 3D printers and medical devices – as well as supporting our designation as a Center of Academic Excellence in both cybersecurity defense education and research.
Phoenixville Hospital employee suspended and later terminated for accessing patient health information without authorization, according to statement from hospital. Unauthorized access may have included names, birth dates, addresses, diagnoses, test results as well as partial Social Security numbers or identification numbers of some patients. This incident is currently under investigation by both hospital administration as well as local law enforcement agencies; any concerns related to this incident should be brought forth through Integrity & Compliance Office if known – reports made in good faith are protected against retaliation under our Duty to Report and Protection from Retaliation policy [PDF], in addition to state/federal whistleblower laws that provide protections.
What We Are Doing About It
VCU has released a statement informing people whose personal information may have been found on a compromised server. Routine monitoring of their servers revealed suspicious files on one device; VCU then took it offline for further examination and found an Internet worm had infiltrated it, which allowed someone offsite to use it as a platform to hack another server within its network containing files with 176,567 current and former faculty, staff members and students’ Social Security numbers, names or electronic IDs, birth dates and various programmatic or departmental details stored.
On February 7th, VCU Health became aware that transplant donors and recipients could access some protected health information (PHI), including their names, ages, lab results, medical record number, date(s) of service or birth dates via their patient portal or when exercising their right under HIPAA to acquire copies of their medical histories from VCU Health. This data could be seen when accessing either of those portals to check records.
VCU determined through their investigation that employees from certain community physician groups and a contracted vendor accessed this data. Although VCU did not reveal which groups or individuals gained access, but told WVBT it has taken action against these employees, and is working closely with both local and federal law enforcement agencies.
Hospital system officials announced in a statement that since they discovered that any unauthorized access by these individuals was done independently and was not part of any coordinated attack; further investigations are currently ongoing.
VCU has not only experienced but been at the center of two massive data breaches since 2022; first through an IT glitch at VCU leading to phishing scams affecting thousands of alumni; and then through Blackbaud, which provides database hosting services for hundreds of universities and nonprofits around the country and breaching over one million people whose personal information had been exposed in one attack alone – VCU utilized Blackbaud for fundraising activities as well as alumni outreach initiatives.
How You Can Help
Start by keeping yourself up-to-date. Keep up with current affairs, sign up for updates from companies whose information has been compromised, and stay abreast of any new developments so you can take appropriate actions.
Make sure that when receiving any notification that it is read thoroughly to understand exactly which data may have been compromised – from your name and email address, social security number, financial info and so on.
Practice good computer security habits by not leaving your computer unattended, being mindful with attachments and downloading files, using antivirus protection software and staying current with security updates. Doing this will help to safeguard against hackers gaining access to sensitive information; additionally, reporting any suspicious activities to IC3 if you suspect cybercrime has occurred could help make you a victim of Internet crime.