Skip to main content

Notice: Data privacy incident and steps taken

Published on: Monday, August 22, 2022

The Organ Procurement and Transplantation Network (OPTN) is committed to keeping information confidential and secure.

Recently the OPTN discovered a data privacy and security incident that involved personally identifiable information (PII) and protected health information (PHI) that was entered into our system. Although there is no evidence of any improper use, we respect the privacy of all information collected by the OPTN, which is why we are sharing this information as part of our continuing commitment to all impacted individuals.

What Happened?

The OPTN is required by regulation to make data available for bona fide research or analysis. On June 21, 2022, we learned that certain fields in an otherwise de-identified research data set about organ transplant donors and recipients contained personal identifiable information (PII) and protected health information (PHI). This research dataset contains data collected about organ transplantation in the United States and is available to researchers who sign a Data Use Agreement (DUA). The dataset was de-identified, which means that fields containing identifying information such as names, address, taxpayer ID number, etc. were removed. Unfortunately, other text fields permitted the inclusion of potentially identifying information.

What Information Was Involved?

After an extensive search of the data set, we have identified limited PII/PHI was entered in a free-text field. The PII/PHI information disclosed varies by individual, but may include first and last names, social security numbers, dates of birth/death, diagnosis, medications, and/or other medical treatment information. There is no reason to believe that the extremely limited information inappropriately shared with researchers could be used for improper purposes.

What We Are Doing

We value the privacy of all individuals with records in our system and deeply regrets that this incident occurred. We have taken a number of steps to investigate how this breach happened, lessen any potential harm to those impacted individuals, and prevent any further inadvertent disclosures of identifying information.

We immediately took steps to prevent access to the dataset by third parties, and to ensure there was no further distribution of the dataset containing the information until it could be confirmed that all identifying information was removed.

As a result of this issue, and to avoid future issues, we have taken the following additional steps:

  • Elimination and/or NULLing of free-text fields from the dataset.
  • Evaluation of free text fields in the dataset, including scanning for similar for potential PHI exposure.
  • Review of audit log data to identify the users at OPTN Member Institutions who input the PHI data in the text fields for further education and training on data privacy and security.
  • Notified all impacted individuals via Certified U.S. Mail and/or Secure E-Mail for whom we had current contact information.

What Can You Do?

We continue to mitigate the risk of potential negative outcomes resulting from this breach to the best of our ability. For more information related to this breach, please reach out to the UNOS Privacy Office by calling 1-888-850-0109 or emailing privacy@unos.org.