Grassley, Wyden Probe Data Breach that Exposed Organ Transplant Patients’ Sensitive Data

Sens. Chuck Grassley (R-Iowa) and Ron Wyden (D-Ore.) are holding the United Network for Organ Sharing (UNOS) accountable after a data breach allowed UNOS system users unauthorized access to over a million sensitive patient records. This technology breakdown is the latest in a string of failures at UNOS, which for 40 years has held the sole government contract to manage the U.S. organ transplant system. Grassley and Wyden, the former and current chairmen, respectively, of the Senate Finance Committee, last year authored a historic law that breaks up the organ transplant contract and encourages the most competent contractors in the field to manage the nation’s organ system.

“Whether the exposed data was accessed by authorized users only or not, this mishandling error is another example of UNOS’s failure to operate the critical technology supporting the OPTN,” the senators wrote. “Given the large amount of sensitive data UNOS stores and collects on past and present patients, it is imperative that data breaches do not happen again.”

 Grassley and Wyden more than two years ago urged UNOS to modernize and secure its technology system, and raised concerns regarding UNOS’s cybersecurity standards to the White House Chief Information Officer. The lawmakers further sounded the alarm after a UNOS system outage briefly halted all transplant matches, putting patients’ lives at risk.

Read Grassley and Wyden’s latest letter HERE and below.

March 27, 2024

VIA ELECTRONIC TRANSMISSION

Dr. Maureen McBride

Chief Executive Officer

United Network for Organ Sharing

700 N 4^th Street

Richmond, Virginia 23219

Dear Dr. McBride:

On November 10, 2023, during two software tests, the United Network for Organ Sharing (UNOS) discovered it had been exposed to a data breach as a result of a software configuration error that gave unauthorized access to at least 1.5 million patient records to Organ Procurement and Transplantation Network (OPTN) and DonorNet system users.[1]  System users are authorized to view specific patient records on a case-by-case basis for the purpose of providing medical care.[2]  However, system users do not have unfettered access to every patient record within the OPTN and DonorNet system, which was the result of the breach.[3]  The sensitive data that was exposed included patients’ dates of birth, social security numbers, and procedures.[4]  Whether the exposed data was accessed by authorized users only or not, this mishandling error is another example of UNOS’s failure to operate the critical technology supporting the OPTN.

Unfortunately, this is not the first time we have raised concerns regarding UNOS’s inability to operate its critical technology.  On January 31, 2022, we wrote to UNOS expressing concerns and asking then-CEO Brian Shepard to “[t]ake immediate action to modernize the national [OPTN] information technology system and secure it from cyber-attacks.”[5]  On February 11, 2022, we also raised concerns with the White House Chief Information Officer regarding the cybersecurity and technology used by UNOS as the nation’s OPTN contractor.[6]  Then, on March 20, 2023, we wrote to your organization expressing concerns about the February 15, 2023, DonorNet outage, which left patients’ lives at risk.[7]

UNOS is responsible for overseeing and operating the OPTN IT System, which maintains the waitlist for all organ transplant candidates in the United States.[8]  According to UNOS’s website, “UNOS works for the more than 100,000 patients on the transplant waiting list to ensure they have equitable access to lifesaving organs…”[9]  In 2023, UNOS facilitated more than 46,000 organ transplants.[10]  Given the large amount of sensitive data UNOS stores and collects on past and present patients, it is imperative that data breaches do not happen again.

Considering our continued concerns with the security of UNOS’s critical technology and its apparent inability to efficiently and effectively operate the OPTN, please answer the following questions no later than April 10, 2024:

1. Please describe how UNOS identified the existing data breach. Provide all records.[11]
2. Please describe UNOS’ understanding of the root cause of the data beach and any relevant investigations or reviews. Provide all records.
3. How many patients were affected by the data breach and over what period of time?  Provide all records, including any updates or revisions UNOS may have made regarding the total number of patients impacted by the data breach.
4. How many patient records were accessible during the data breach?  How many patient records were actually accessed during the data breach?  Provide all records, including any updates or revisions UNOS may have made regarding the total number of patient records impacted by the data breach.
5. How many, authorized or unauthorized, users were able to access patients’ sensitive information during the data breach?  How many actually accessed this data?  Provide all records.
6. What is UNOS’ process for responding to a real-time data breach or cyberattack on its technology systems?  Provide all records.
7. Provide all records of communications UNOS had with HHS, HRSA, or any other federal agency in regards to the data breach.
8. Has UNOS notified the patients who had their data breached?  If not, why not?  Provide all records.
9. What steps has UNOS taken to mitigate future data breaches and cyberattacks? Provide all records.

Thank you for your prompt review and responses. If you have any questions, please contact Tucker Akin of Senator Grassley’s staff at (202) 224-0642 and Melissa Dickerson of Chairman Wyden’s staff at (202) 224-4515.

Sincerely,

Ron Wyden                                                                                     

Chairman                                                                                  

Committee on Finance

Charles E. Grassley

Member

Committee on Finance