Educational Security Incidents (ESI)

Quick Facts

• Date: 11/12/2008
• Institution: University of Florida
• Type of Incident: Penetration
• Number Affected: 336,234
• Source: ESI
• Abstract Source: Network World

Abstract
The University of Florida announced that a server containing College of Dentistry patient information was breached by an unknown individual(s). The server contained the names, addresses, birth dates, Social Security numbers of 344,482 patients dating back to 1990. Some of these records did contain dental procedure information. UF discovered the breach on Oct 3rd when staff were performing upgrades on the server. Staff found that an unknown individual(s) had compromised the computer and remotely installed additional software on the server. The server was immediately taken down until staff could strengthen the security controls of the system. UF has mailed out notifications to 336,234 individuals affected by this breach. In the online FAQ, the University of Florida states that the university will not offer any free credit monitoring to the individuals affected by this breach. The university has more information on the incident here - privacy.ufl.edu.

Quick Facts

• Date: 6/10/2008
• Institution: University of Florida
• Type of Incident: Unauthorized Disclosure
• Number Affected: 11,300
• Source: ESI
• Abstract Source: InsideUF

Abstract
The University of Florida began notifying current and past student that their personal information was found available online during a routine audit. The audit discovered that the names, address and Social Security numbers of 11,300 current and former UF students was available online through an Office for Academic Support and Institutional Service (OASIS) website. The site was developed by a former student employee and was used to allow student workers remote access to OASIS records while at remote locations. According to Joe Glover, interim dean of the College of Liberal Arts and Sciences, the student worker did not put any security controls in place to limit the access to this data. The OASIS site was actively used from 2003 through 2005 but remained online until the university discovered this incident and removed the information. The university has setup a hot line - 866-876-HIPA - and web site - privacy.ufl.edu/ - to help answer any questions affected individuals may have.

Quick Facts

• Date: 5/20/2008
• Institution: University of Florida
• Type of Incident: Unauthorized Disclosure
• Number Affected: 1,900
• Source: ESI
• Abstract Source: Jacksonville Business Journal
• Update1 Source: First Coast News

Abstract
University of Florida officials are set to begin notifying patients of a UF plastic surgeon that their personal information may have been compromised. The surgeon, Dr. Francis D. Ong, is an assistant professor at the UF College of Medicine - Jacksonville. Dr. Ong recent gave a computer containing unencrypted patient information, such as names, dates of birth, Social Security numbers, and Medicare numbers, and patient photos to a family he was friends with. According to David Behinfar, a privacy compliance manager at the College of Medicine, Dr. Ong's actions were against university policy. The College of Medicine mailed out notification letters on May 19th and officials urge concerned patients to contact the College of Medicine hotline - 866-876-4472.

Update1
The laptop Dr. Ong gave to the family has been returned to the university. Dr. Ong told investigators that the computer was only used for personal use by the family and that a member of the family had reinstalled the operating system. Dr. Ong is no longer affiliated with the University of Florida College of Medicine - following this incident. Dr. Robert C. Nuss, Dean of UF's Jacksonville campus, apologized over the incident saying that the university works hard to earn patient's trust. The university will continue to educate doctors and staff on the proper method of storing patient information.

Quick Facts

• Date: 11/21/2007
• Institution: University of Florida
• Type of Incident: Unauthorized Disclosure
• Number Affected: 415
• Source: Attrition.org
• Abstract Source: The Independent Florida Alligator

Abstract
The Liberty Coalition recently alerted the University of Florida that the names and Social Security numbers of more then 400 students was available to the public online. The liberty Coalition found 14 files containing the sensitive information dating back to 1998 on a UF web site. Students enrolled in the university's ISM 4220 or ISM 4330 courses between 1998 and 2001 are affected. UF officials immediately removed the files upon notification and a review of the available access log data shows that nobody had accessed the files in five years. An investigation into the incident showed that the files were posted to a gradebook before the university phased out the use of Social Security numbers and student identifiers. The university is still investigating how these files ended up online.

Quick Facts

• Date: 6/28/2007
• Institution: University of Florida
• Type of Incident: Theft
• Number Affected: 946
• Source: ESI
• Abstract Source: WJXT, Jacksonville

Abstract
Shands Hospital and the University of Florida called in the police to investigate the theft of a hard drive containing patient information. In all, the stolen hard drive contained 946 patient records, including names, medical record numbers, birth dates and medical information. According to a police report, the drive was stolen from UF on May 30, but was not reported to the police until June 6. This delay makes it very difficult to investigate the theft according to police. According to UF, new security measures are in place to help prevent future thefts.