Educational Security Incidents (ESI)

Quick Facts

• Date: 6/10/2008
• Institution: University of Utah
• Type of Incident: Theft
• Number Affected: 1,500,000 (Revised)
• Source: ESIhttp://www.adamdodge.com/esi/node/352/edit
• Abstract Source: University Health Care News Release
• Update1 Source: The Salt Lake Tribune
• Update2 Source: The Salt Lake Tribune

Abstract
The University of Utah Hospitals & Clinics is currently notifying 2.2 million patients about the theft of medical billing records. On June 2, a box of backup tapes containing patient and guarantors billing records was stolen out of a car belonging to a contracted independent storage company. The tapes contained the personal information on 2.2 million patients and guarantors including patient names, related demographic information and diagnostic codes. In addition, these records contained the Social Security numbers of 1.3 million patients. The Salt Lake County Sheriff’s Department, the FBI and the U.S. Postal Service are investigating the theft. According to Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences, University of Utah Hospitals & Clinics is taking aggressive steps to protect patient confidentiality including notifying all 2.2 million individual through postal mail, offering one year of free credit monitoring to those whose SSNs were on the tapes and offering a $1,000 reward for the return of the tapes, no questions asked. The University of Utah Hospitals & Clinics has also setup a hotline - 866-581-3599 - and a web site - healthcare.utah.edu/billingrecordstheft - to help answer any questions and provide more information about the theft.

Update1
The University of Utah Hospitals & Clinics has revised the total number of affected individuals to 1.5 million. The revised count takes into account duplicate records and records on deceased individuals. However, the university also removed individuals where there is no valid address for the record. A spokesperson encouraged anyone who is concerned that they might be affected to call the hotline setup by University of Utah Hospitals and Clinics, especially if they do not receive a notification letter by July 1.

Update2
The stolen backup tapes containing 1.5 million University of Utah Hospital and Clinics patient records have been recovered according to the Salt Lake County Sheriff's Office. Detail surrounding the recovery are not available at this time but no arrests have been made concerning the theft. Salt Lake County sheriff's Lt. Paul Jaroscak called the investigation in to the theft deep and ongoing.

Quick Facts

• Date: 5/29/2008
• Institution: University of California, San Francisco
• Type of Incident: Penetration
• Number Affected: 3,569
• Source: Attrition.org
• Abstract Source: UCSF News Office

Abstract
The University of California, San Francisco is currently alerting a number of patients that their information may have been accessed by an unknown individual. In January 2008, UCSF noticed odd traffic coming from a computer in January and an investigation turned up that an unknown individual installed an unauthorized file sharing program on the computer. This computer also contained the names, Social Security numbers, dates of pathology service and health information of 2,625 UCSF patients and 944 patients whose tissue samples were used by the department. While there is no evidence the patient files were accessed, UCSF takes this incident and patient confidentiality very seriously. The university has created a hotline - 415-353-7427 - and e-mail address - PathHotline@ucsf.edu - to help answer any questions affected individuals might have.

Quick Facts

• Date: 5/20/2008
• Institution: University of Florida
• Type of Incident: Unauthorized Disclosure
• Number Affected: 1,900
• Source: ESI
• Abstract Source: Jacksonville Business Journal
• Update1 Source: First Coast News

Abstract
University of Florida officials are set to begin notifying patients of a UF plastic surgeon that their personal information may have been compromised. The surgeon, Dr. Francis D. Ong, is an assistant professor at the UF College of Medicine - Jacksonville. Dr. Ong recent gave a computer containing unencrypted patient information, such as names, dates of birth, Social Security numbers, and Medicare numbers, and patient photos to a family he was friends with. According to David Behinfar, a privacy compliance manager at the College of Medicine, Dr. Ong's actions were against university policy. The College of Medicine mailed out notification letters on May 19th and officials urge concerned patients to contact the College of Medicine hotline - 866-876-4472.

Update1
The laptop Dr. Ong gave to the family has been returned to the university. Dr. Ong told investigators that the computer was only used for personal use by the family and that a member of the family had reinstalled the operating system. Dr. Ong is no longer affiliated with the University of Florida College of Medicine - following this incident. Dr. Robert C. Nuss, Dean of UF's Jacksonville campus, apologized over the incident saying that the university works hard to earn patient's trust. The university will continue to educate doctors and staff on the proper method of storing patient information.

Quick Facts

• Date: 5/2/2008
• Institution: University of California, San Francisco
• Type of Incident: Unauthorized Disclosure
• Number Affected: 6,313
• Source: ESI
• Abstract Source: San Francisco Chronicle

Abstract
The University of California, San Francisco is alerting patients after personal patient information connected with the university was found online. In October of 2007, UCSF became aware that patient information the university had shared with Target America Inc. to help identify potential donors was available online. The information available included the names, addresses, names of departments where patient received care and in some cases patient medical record numbers and physicians providing care on 6,313 UCSF patients. UCSF took immediate action to remove public access to the data once it was aware of the incident. In addition, UCSF ended the business agreement it had with Trade America shortly after the incident was discovered. UCSF is mailed notification letters to the affected patients in April. It is not known why UCSF waited so long to notify patients about the exposure.

Quick Facts

• Date: 5/1/2008
• Institution: Staten Island University Hospital
• Type of Incident: Theft
• Number Affected: 88,000
• Source: Pogo Was Right
• Abstract Source: Staten Island Advance

Abstract
Staten Island University Hospital is alerting patients about a December 07 equipment theft. Thieves made off with a desktop computer and backup hard drive from an administrative office in Rosebank. This equipment contained names, Social Security numbers and health insurance numbers on 88,000 SIUH patients. According to a statement from the hospital, letters are being sent to affected individuals and the hospital is offer one year of free credit monitoring. SIUH spokesperson Arleen Ryback said that the equipment does not contain any medical records but would not comment on why it took SIUH so long to notify patients.