Quick Facts

• Date: 3/7/2011
• Institution: University of Massachusetts Amherst
• Type of Incident: Penetration
• Number Affected: 942
• Source: DataLoss DB
• Abstract Source: Health Data Management, University of Massachusetts News Release

Abstract
The University of Massachusetts recently notified individuals after staff discovered malware on a computer containing protected health information. The computer, used in UMass's University Health Services, contained the names, health insurance company and medical record numbers on 942 UHS patients. In addition, the computer contained the prescription information, including medication, pharmacist, quantity, length of prescription and physician between Jan 2009 and Nov 2009 for these patients. The computer was originally infected in June 2010 and was corrected by the end of Oct 2010. A follow up investigation did not find any evidence that the protected health information was copied. In the letter, UMass officials advise affected individuals to monitor their health insurance information for any unusual activity but believes the likelihood of problems to be very low. UMass has responded to the incident by increasing training of UHS staff, installing automated software to discover malware infections and increasing efforts to discover protected information on desktops and workstations.

Quick Fact

• Date: 12/10/2010
• Institution: University of Wisconsin-Madison
• Type of Incident: Penetration
• Number Affected: 60,000
• Source: DataLoss DB
• Abstract Source: Wisconsin State Journal

Abstract
The University of Wisconsin-Madison recently began notifying individuals following the breach of a server containing personal information. One of the files on the server, which pertained to the UW-Madison Wiscard system, held the names and Social Security numbers of 60,000 students (mostly former), faculty and staff. The file in question held information used for old photo IDs that had the Social Security number of the individual embedded in the ID number. An investigation by university staff did not uncover any evidence that the file was downloaded or accessed by any unauthorized individual.

Quick Facts

• Date: 12/9/2010
• Institution: University of Alberta
• Type of Incident: Theft
• Source: DataLoss DB
• Abstract Source: CBC News

Abstract
Alberta Privacy Commissioner Frank Work is upset over the theft of a number of laptops containing health, employee and financial information in the past month. The seven thefts include the recent theft of a University of Alberta laptop containing Medical Charts to 2,700 pediatric gastroenterology patients participating in a study. “I think its totally irresponsible now in this day and age,” Work said concerning the fact that the laptops were unencrypted despite the data they contained. According to Work encryption is not only the law but companies, organizations and agencies “...have a responsibility to your patients, your clients, your employees to encrypt their information when you're carrying it around with you.”

Quick Facts

• Date: 11/15/2010
• Institution: University of Nebraska System
• Type of Incident: Unauthorized Disclosure
• Number Affected: 300,000
• Source: DataLoss DB
• Abstract Source: KCAUTV, Omaha World Herald

Abstract
A Nebraska initiative to increase transparency in spending inadvertently exposed the personal financial information on hundreds of thousands of students. The web site, Nebraskaspending.gov, lists millions of payments made by the Nebraska government. Among the 2008-09 data are 300,000 payments to University of Nebraska students that include the students name, refund amount, scholarship information and other financial aid reimbursement information. When this information was first discovered, there was a disagreement over who should remove the information. University of Nebraska officials requested that the State Treasurer’s Office remove the information, but the State Treasurer Shane Osborn said he did not have enough staff to do this. Instead, Osborn stated that the University of Nebraska had ample opportunity to remove the data before it was sent to the State and the data should never have been in the files received by his office. However, the university and the State have come to an agreement. The information has been removed from the web site and the university will be given adequate time to remove the information from the 2009-10 data.

Quick Facts

• Date: 11/10/2010
• Institution: Methodist Theological School in Ohio
• Type of Incident: Theft
• Number Affected: Unknown
• Source: DataLoss DB
• Abstract Source: New Hampshire Attorney General(PDF)

Abstract
The Methodist Theological School in Ohio recently notified the New Hampshire Attorney General following the theft of a laptop containing student information. The laptop, stolen from a staff member in a locked off-campus location, contained the names, addresses, letter grades for completed courses, Social Security numbers, dates of birth and record of payments received for an unknown number of MTSO students. According to the notice, not all of the information was available on all affected individuals and the laptop did not contain any financial account information. While the investigation so far has shown this to be a random act of theft, MTSO is offering those affected one year of credit monitoring service at no cost. In addition, MTSO is working to strengthen data protection safeguard to help prevent future incidents.