Senators Demand Answers from the United Network for Organ Sharing About 1 Million+ Record Data Breach
U.S. Senators Chuck Grassley (R-IA) and Ron Wyden (D-OR) have written to the United Network for Organ Sharing (ONOS), which administers the Organ Procurement and Transplantation Network (OPTN), demanding answers about a recently identified data breach and criticized ONOS for its apparent inability to operate the OPTN.
The Senators previously wrote to ONOS in January 2022 to express their concerns about OPTN systems, which were in desperate need of modernization to protect them from cyberattacks. There is only a short window of opportunity for matching donors with patients in need of transplants, and any disruption to the system – a ransomware attack for example – could result in the loss of many lives.
The Senators also voiced their concerns with the White House Chief Information Officer in February 2022 about the technology in use and the cybersecurity measures to protect the OPTN from cyberattacks. In September of that year, the HHS Office of Inspector General (OIG) published a report that called for the Health Resources and Services Administration (HRSA) to improve oversight of the cybersecurity of the OPTN. The OPTN had been criticized for the use of outdated IT systems and the lack of technical capabilities to upgrade the systems, secure them, and ensure they are fit for purpose.
On March 20, 2023, the Senators wrote to UNOS about an outage of the DonorNet system on February 15, 2023, which put patients’ lives at risk, and again criticized ONOS for the failure to operate the critical technology supporting the OPTN. A few days later, the Senators wrote to UNOS again about a recently discovered data breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In November 2023, ONOS conducted two software tests and discovered a software configuration error had exposed the sensitive data of 1.5 million organ transplant patients and DonorNet system users. Users of the system can access individual records on a case-by-case basis; however, the error allowed access to all records on the OPTN and DonorNet system, including details such as names, dates of birth, Social Security numbers, and procedures. In the latest letter, the Senators have demanded answers about the data breach and expressed their “continued concerns with the security of UNOS’s critical technology and its apparent inability to efficiently and effectively operate the OPTN”
Specifically, the Senators want to know how the data breach was identified; the root cause of the breach and any relevant investigations and reviews; the number of patients affected; whether patient records were accessed by unauthorized individuals; how many individuals were able to access patient data they were not authorized to view. They have also requested information about breach response processes at ONOS, including the response to the latest breach, whether patients have been notified, and the steps taken to prevent further breaches and cyberattacks. ONOS has been given until April 10, 2024, to provide the answers.
Sens. Grassley and Wyden have been pushing for reforms to improve the administration of the OPTN. In April 2023, they proposed new legislation – The Securing the U.S. Organ Procurement and Transplantation Network Act – to improve the management of the OPTN, which for the past 40 years has been solely administered by ONOS. The legislation was signed into law by President Biden in September 2023 and breaks up the contract for the management of the OPTN and encourages participation from competent and transparent contractors. The aim of the legislation is to improve transparency and address the many failures that have plagued the OPTN over the past 40 years and it is hoped that the breakup of the monopoly will increase competition and help to save many lives.
