Educational Security Incidents (ESI)

Quick Facts

• Date: 9/14/2009
• Institution: University of Florida
• Type of Incident: Unauthorized Disclosure
• Number Affected: 34
• Source: DataBreaches.net
• Abstract Source: University of Florida News

Abstract
The University of Florida announced a recently discovered security breach of personal information. The breach involved a file containing the 34 names and 25 Social Security numbers of trainers working with the Florida Traffic and Bicycle Safety Education program in 2006. The file the unsecured file was removed as soon as it was discovered by university techs during a routine security check. While the file was last modified in 2006, the university believes that the risk to personal information is low. The university has setup a web site - privacy.ufl.edu/ - and hotline - 877-657-9133 - to help answer questions about the incident.

Quick Facts

• Date: 2/19/2009
• Institution: University of Florida
• Type of Incident: Penetration
• Number Affected: 97,200
• Source: ESI
• Abstract Source: University of Florida News

Abstract
The University of Florida is working to notify current and past students, faculty and staff after staff discovered a server breach. The "Grove" server hosted course documentation and course documentation containing files with the names and Social Security numbers of up to 97,200 individuals. UF staff discovered the breach on Jan 14 during routine IT system review. The computer was shut down and the UF launched an investigation. While the investigation was able to confirm unauthorized access had occurred, staff were not able to determine if the files containing private information had been accessed. In a letter (pdf) to the individuals affected by the breach, UF calls the risk of identity theft low but suggests people follow FTC guidelines. The University of Florida has created a web site - privacy.ufl.edu/incidents/2009/academic-technology - with more information on the breach.

Quick Facts

• Date: 11/12/2008
• Institution: University of Florida
• Type of Incident: Penetration
• Number Affected: 336,234
• Source: ESI
• Abstract Source: Network World

Abstract
The University of Florida announced that a server containing College of Dentistry patient information was breached by an unknown individual(s). The server contained the names, addresses, birth dates, Social Security numbers of 344,482 patients dating back to 1990. Some of these records did contain dental procedure information. UF discovered the breach on Oct 3rd when staff were performing upgrades on the server. Staff found that an unknown individual(s) had compromised the computer and remotely installed additional software on the server. The server was immediately taken down until staff could strengthen the security controls of the system. UF has mailed out notifications to 336,234 individuals affected by this breach. In the online FAQ, the University of Florida states that the university will not offer any free credit monitoring to the individuals affected by this breach. The university has more information on the incident here - privacy.ufl.edu.

Quick Facts

• Date: 6/10/2008
• Institution: University of Florida
• Type of Incident: Unauthorized Disclosure
• Number Affected: 11,300
• Source: ESI
• Abstract Source: InsideUF

Abstract
The University of Florida began notifying current and past student that their personal information was found available online during a routine audit. The audit discovered that the names, address and Social Security numbers of 11,300 current and former UF students was available online through an Office for Academic Support and Institutional Service (OASIS) website. The site was developed by a former student employee and was used to allow student workers remote access to OASIS records while at remote locations. According to Joe Glover, interim dean of the College of Liberal Arts and Sciences, the student worker did not put any security controls in place to limit the access to this data. The OASIS site was actively used from 2003 through 2005 but remained online until the university discovered this incident and removed the information. The university has setup a hot line - 866-876-HIPA - and web site - privacy.ufl.edu/ - to help answer any questions affected individuals may have.

Quick Facts

• Date: 5/20/2008
• Institution: University of Florida
• Type of Incident: Unauthorized Disclosure
• Number Affected: 1,900
• Source: ESI
• Abstract Source: Jacksonville Business Journal
• Update1 Source: First Coast News

Abstract
University of Florida officials are set to begin notifying patients of a UF plastic surgeon that their personal information may have been compromised. The surgeon, Dr. Francis D. Ong, is an assistant professor at the UF College of Medicine - Jacksonville. Dr. Ong recent gave a computer containing unencrypted patient information, such as names, dates of birth, Social Security numbers, and Medicare numbers, and patient photos to a family he was friends with. According to David Behinfar, a privacy compliance manager at the College of Medicine, Dr. Ong's actions were against university policy. The College of Medicine mailed out notification letters on May 19th and officials urge concerned patients to contact the College of Medicine hotline - 866-876-4472.

Update1
The laptop Dr. Ong gave to the family has been returned to the university. Dr. Ong told investigators that the computer was only used for personal use by the family and that a member of the family had reinstalled the operating system. Dr. Ong is no longer affiliated with the University of Florida College of Medicine - following this incident. Dr. Robert C. Nuss, Dean of UF's Jacksonville campus, apologized over the incident saying that the university works hard to earn patient's trust. The university will continue to educate doctors and staff on the proper method of storing patient information.