Quick Facts

• Date: 3/4/2011
• Institution: University of South Carolina, Sumter
• Type of Incident: Penetration
• Number Affected: 31,000
• Source: ESI
• Abstract Source: The Post and Courier, The State

Abstract
The University of South Carolina recently notified individuals that their personal information may have been exposed during a January 2011 security breach. The notices were sent to 31,000 faculty, staff, students and retirees at all eight University of South Carolina campuses after the breach of a server that is used by USC campuses to share data and information. The university does not have any evidence that personal information was accessed during the breach. The affected server was taken offline within two hours of discovering the breach in January. However, notices did not go out until all individuals potentially affected had been identified on March 1. According to USC spokeswoman Margaret Lamb, the university has addressed the issue, notified the individuals affected and provided these individuals with information on how to protect themselves from identity theft. It is not clear how the breach occurred, but according to Lamb the cause was human error.

Updated to correct typos. Special Thanks to Allison Dolan for pointing out the error. - Adam

Quick Facts

• Date: 2/3/2011
• Institution: University of Washington
• Type of Incident: Unauthorized Disclosure
• Number Affected: 17 (via PHIPrivacy.net)
• Source: PHIPrivacy.net
• Abstract Source: KING5

Abstract
KING5 was recently contacted by an individual that obtained University of Washington medical records while purchasing surplus furniture. The information is stored on 19 DVDs and one paper record and is comprised of mostly X-ray and MRI images of spines. KING5 Allen Schauffler was able to trace Vicki Goetz, whose name, along with phone number, was on a post-it note attached to a DVD. According to Goetz, she was a patient of the UW Bone and Joint Center and had two different surgeries there before finding another doctor. UW has stated that they are not sure how these files could have been left in surplus furniture but offers apologies to everyone affected. A UW spokesperson also said the university is reviewing policies and procedures and will work to tighten things up.

Quick Facts

• Date: 2/3/2011
• Institution: University of Iowa
• Type of Incident: Employee Fraud
• Number Affected: 13
• Source: ESI
• Abstract Source: Press-Citizen

Abstract
University of Iowa officials have taken access against five staff members for their involvement in unauthorized access to hospital records. Three staff members have been fired and two have been suspended without pay for five days for inappropriately accessing the medical records of 13 UI football players being treated for rhabdomyolysis. Citing federal privacy laws, UI has not named the individuals involved, the information accessed or how the information was used.

Quick Facts

• Date: 12/18/2010
• Institution: Stony Brook University
• Type of Incident: Student Misconduct
• Number Affected: 61,101
• Source: DataBreaches.net
• Abstract Source: Stony Brook Independent

Abstract
Stony Brook University is investigating how files containing student and faculty information ended up online. The file in question contained the names, usernames and University IDs of 61,101 students and faculty but did not contain any password or Social Security number information. The file was uploaded to sbuchat.com, a web site for “anonymous discussion and exchange of options of Stony Brook University students.” In an interview with the file-poster (who refused to be named), the file-poster compiled the file last May after discovering an exploit in a Stony Brook system that would allow someone to change passwords without knowing the original password. The exploit also allowed the file-poster to access a list of all registered faculty and students. According to Richard Reeder, Stony Brook’s CIO, two students did report the a problem like the one described by the file-poster and the flaw was fixed within a few hours. According to the file-poster, the original plan did not include posting the file publicly. However, after the sbuchat.com community demanded proof the list existed or be dismissed the file was posted in PDF and Excel formats.

Quick Fact

• Date: 12/10/2010
• Institution: University of Wisconsin-Madison
• Type of Incident: Penetration
• Number Affected: 60,000
• Source: DataLoss DB
• Abstract Source: Wisconsin State Journal

Abstract
The University of Wisconsin-Madison recently began notifying individuals following the breach of a server containing personal information. One of the files on the server, which pertained to the UW-Madison Wiscard system, held the names and Social Security numbers of 60,000 students (mostly former), faculty and staff. The file in question held information used for old photo IDs that had the Social Security number of the individual embedded in the ID number. An investigation by university staff did not uncover any evidence that the file was downloaded or accessed by any unauthorized individual.