NOTICE OF UDN DATA EXPOSURE
NIH clinical study 15-HG-0130, Clinical and Genetic Evaluation of Patients with Undiagnosed Disorders Through the Undiagnosed Diseases Network (UDN)
There has been a data exposure affecting some participants’ private study information, located at the UDN Coordinating Center at Harvard Medical School. After substantial investigation and review, we wanted to inform participants about what happened. Those UDN participants who were impacted will be receiving a letter from the National Institutes of Health with more specifics and may additionally receive a letter from the privacy or Health Insurance Portability and Accountability Act (HIPAA) office of their local site. We sincerely apologize for this data exposure and the concern it may cause for UDN participants and their families.
In May 2016, a former employee of the UDN Coordinating Center at Harvard Medical School posted “credentials” (permission) to an electronic system that allowed access to UDN data. This posting of credentials was unauthorized and in violation of UDN and Harvard policies, but we believe it was the result of human error and not malicious intent. The Harvard University and Harvard Medical School Information Technology departments were notified of this issue on February 20, 2020. The UDN Coordinating Center learned that, in February 2020, one unauthorized person used the credentials to download data, which they gave to at least one other unauthorized person. We have no evidence that any other unauthorized individual has accessed (opened to view) the data.
WHAT INFORMATION WAS INVOLVED
Data exposed involved 1,625 accepted participants and 3,796 family members. These data varied by individual and may have included names, dates of birth, street addresses, city/state/zip codes, parent/guardian names and/or contact information, family member information, medical terms, and free text describing medical conditions. The exposed data did not include financial information or Social Security numbers. Therefore, we do not believe there is substantial risk for identity theft or financial fraud.
WHAT WE ARE DOING
The UDN Coordinating Center immediately disabled the credentials that allowed the unauthorized access, changed all other credentials, began reviewing logs (electronic lists of information) to see what data were exposed, and notified law enforcement officials. Senior leaders at the UDN Coordinating Center and the National Institutes of Health have been working together to correct this situation.
WHAT YOU CAN DO
To date, we have no evidence that the exposed data have been used against any UDN participant. However, if you have concerns or questions about this incident, feel free to contact the UDN Call Center established at Harvard for this purpose at 1-833-778-0018. The call center hours are Monday through Friday, from 9 a.m. until 8 p.m. Eastern Time.
Updated March 27, 2020