Virginia Commonwealth University Health System has announced a data breach may have exposed the personal information of almost 4,500 organ donors and recipients since 2006.

The Social Security numbers, lab results, medical record numbers, dates of service and birthdays were potentially viewable by other donors and recipients at VCU but were not viewable to the general public, the health system said.

The health system has contacted most of the affected individuals, and a small number have responded. VCU isn't aware of any personal information that was stolen or misused, the system said.

Staffers for VCU Health first discovered the breach in February. Over the next several months, it realized some personal information had been exposed for about 16 years. The health system has since rectified the breach.

Information about organ donors was contained in the medical records of certain transplant recipients. The number of donors the recipient was able to view depended on the number of potential donors who were tested.

The personal information was exposed not only of organ donors but also others who were tested to see if they were a match for a transplant

Information about recipients was also exposed in the medical records of certain donors. The donors could view only one recipient's information, if any, a spokesperson for the health system said.

In addition to donors and recipients viewing other peoples' information, representatives, such as family members, caregivers or legal representatives could see the exposed information if they had access to an account.

Not all donors and recipients since 2006 had their information exposed. It's unclear what percentage of patients did.

Generally, organ recipients do not know the identities of their donors until after a waiting period.

VCU Health is insured against data breaches, the spokesperson said, and the health system worked with external cybersecurity experts made available through the system's insurance coverage to rectify the problem.

The health system mailed letters to affected donors and recipients for whom it could find physical addresses, sending about 3,400 letters. VCU suggested affected patients place a fraud alert and a security freeze on their credit files and obtain a free credit report.

The health system also established a website and phone number for affected patients to call with questions. Patients can dial (855) 610-3514 from 9 a.m. to 9 p.m. on business days.

The act of matching organs with recipients is managed throughout the country by the Richmond-based United Network for Organ Sharing. The system used by UNOS to house donor and patient data is separate from the ones used by hospitals, a UNOS spokesperson said.