Educational Security Incidents (ESI)

Quick Facts

• Date: 12/23/2008
• Institution: Ohio University - Chillicothe
• Type of Incident: Theft
• Number Affected: 38
• Source: Pogo Was Right
• Abstract Source: Chillicothe Gazette

Abstract
Ohio University - Chillicothe is working to alert members of the university's Health Wellness Center after staff discovered the theft of a hard drive containing personal information. The drive, part of a stand-alone machine using specialized software, contained the names and Social Security numbers of 38 current and former members. OU-C discovered the theft on December 9th and began investigating the incident. According to OU-C officials, the information is very difficult to access without the special software used by the Health Wellness Center. However, to help protect the individuals affected by this incident, OU-C is offering one year of free credit monitoring to the 38 current and former members affected by the theft.

Quick Facts

• Date: 12/12/2008
• Institution: Oregon Health & Science University
• Type of Incident: Theft
• Number Affected: 890
• Source: OSF Data Loss DB
• Abstract Source: Oregon Live

Abstract
Oregon Health & Science University is working to notify patients after a laptop containing personal information was stolen. The laptop, stolen from a worker in Chicago on business, contained medical record numbers, names, telephone numbers, dates of birth, gender, medical diagnosis category and category of treatment for 890 OHSU patients. According to OHSU, the information was password protected and may have been removed from the laptop before the theft.

Quick Facts

• Date: 11/14/2008
• Institution: University of Iowa Hospitals and Clinics
• Type of Incident: Employee Fraud
• Number Affected: Unknown
• Source: ESI
• Abstract Source: The Gazette

Abstract
University of Iowa Hospitals and Clinics announced that eight University Hospitals staff members are facing disciplinary actions after inappropriately accessing confidential patient records. Staff discovered the inappropriate access during a routine review of patient record access. According to hospital CEO Ken Kates the hospital has disclosed the incident and apologized to those affected. According to Kates, the hospital will be "stepping up both our training and the penalties for inappropriately accessing or sharing confidential patient information". One of the staff members involved with this incident has been fired.

Quick Facts

• Date: 11/12/2008
• Institution: University of Florida
• Type of Incident: Penetration
• Number Affected: 336,234
• Source: ESI
• Abstract Source: Network World

Abstract
The University of Florida announced that a server containing College of Dentistry patient information was breached by an unknown individual(s). The server contained the names, addresses, birth dates, Social Security numbers of 344,482 patients dating back to 1990. Some of these records did contain dental procedure information. UF discovered the breach on Oct 3rd when staff were performing upgrades on the server. Staff found that an unknown individual(s) had compromised the computer and remotely installed additional software on the server. The server was immediately taken down until staff could strengthen the security controls of the system. UF has mailed out notifications to 336,234 individuals affected by this breach. In the online FAQ, the University of Florida states that the university will not offer any free credit monitoring to the individuals affected by this breach. The university has more information on the incident here - privacy.ufl.edu.

Quick Facts

• Date: 9/23/2008
• Institution: University of New Mexico Hospitals
• Type of Incident: Unauthorized Disclosure
• Number Affected: Unkown
• Source: ESI
• Abstract Source: The Tech Herald

Abstract
The University of New Mexico Hospitals have fired two employees after an investigation discovered these employees were posting pictures of patients to MySpace. The employees would take pictures of patients undergoing various treatments and upload the photographs to the social networking site. According to Sam Giammo, the hospitals director of public affairs, more employees may face disciplinary actions as the investigation moves forward. The hospital has worked with MySpace to remove the photographs after an anonymous tip to a senior member of the hospital staff alerted the hospital to the problem.