We have no evidence that your information was misused.  After notification from the Secret Service, UF cooperated with law enforcement and conducted a separate investigation about the use of patient records. This review determined that some patient records were accessed inappropriately.  Since we know that the former employee who misused the information of some other individuals also accessed your records, we wanted you to be aware of the occurrence, so you will have the opportunity to take additional precautions.

Documents

• Copy of 5/28/2013 letter by UF officials (PDF, 131 KB)
• Copy of 5/29/2013 letter by UF officials (PDF, 131 KB)
• Answers to Commonly Asked Questions (PDF, 45 KB)
• Identity Theft Brochure (PDF, 1.08 MB)

Documents

• Copy of letter by UF officials (PDF, 122 KB)
• Answers to Commonly Asked Questions (Updated 3/5/2012)
• Identity Theft Brochure (PDF, 1.08 MB)

After the Privacy Office became aware of the situation, the PII was immediately secured by removal from Google’s cache and the UF LISTSERV archive.  Furthermore, we have deleted email containing the report from the accounts of individuals on the UF central email server who subscribed to this particular LISTSERV.

Documents

• Copy of letter by UF officials (PDF, 122 KB)
• Answers to Commonly Asked Questions (Updated 3/5/2012)
• Identity Theft Brochure (PDF, 1.08 MB)
• Police Report (PDF, 106 KB)

Florida law requires that patients be notified when their social security number is accessed by unauthorized parties without a legitimate business need or patient consent.

It is unclear why the employee viewed the patient information of these 151 patients, however, it is suspected that the employee may have known these individuals personally, and they may be friends, family or acquaintances of the employee.  We do know that 30 of the patients whose accounts she accessed were co-workers and UF employees.

The employee was hired as a part time employee in November of 2102 and became a full-time employee in December of 2012.  The inappropriate access was first reported to the UF Privacy Office on February 4, 2013 and after an investigation was conducted and the employee was interviewed, the employee’s employment was terminated on February 7, 2013.

The employee had completed 2 on-line UF privacy training courses and also attended a 30 minute live privacy session during new employee orientation.  The employee knew or should have known that accessing the patient accounts without a legitimate business reason was in violation of UF policy.

The University of Florida has sent a letter notifying all of the patients whose information had been accessed by this employee.  The UF privacy Office mailed the patient letters Thursday, March 7. The mailings included a brochure that outlines ways individuals can safeguard their financial information and provides a privacy office hotline number 1-866-876-HIPA if they have questions.

Documents

• Answers to Commonly Asked Questions (Updated 3/5/2012)
• Copy of letter by UF officials (PDF, 92 KB)
• Identity Theft Brochure (PDF, 44 MB)

The University of Florida was notified last week of a computer security breach at Northwest Florida State College that may include the personal information of some current or former UF students eligible for Bright Futures scholarships for the 2005-06 and 2006-07 school years.

Northwest Florida State College continues to investigate the breach and will be responsible for notifying individuals if their personal identification information, including Social Security numbers, may have been accessed from the Internet. The college is coordinating its efforts with the Division of Florida Colleges in the Department of Education.

UF continues to monitor the situation and will assist if asked. For the time being, UF is referring students to Northwest Florida State College. For updates on the investigation and information on what you should do if you believe you may be affected, go to http://www.nwfsc.edu/security/

Northwest Florida State College recommends the following:

• Bright Futures scholars from 2005-06 and 2006-07 who attended any Florida

College or university may call 1-800-688-0656.

• If you notice improper use of your Social Security number and believe you may be the victim of identity theft, contact the Federal Trade Commission at www.ftc.gov/idtheft or call 1-877-ID-THEFT (438-4338).
• Affected persons may also call their local law enforcement agency and file a police report of identity theft, keeping a copy of the police report.
• Students who have attended or are attending Northwest Florida State College should contact Christine Bishop at registrar@nwfsc.edu.
• To protect from the possibility of identity theft, affected individuals may place a free fraud alert on their credit files, which notifies creditors to contact individuals before opening new accounts in their name. Call any one of the three major credit reporting agencies at the numbers below to place a fraud alert:

Experian – (888) 397-3742

Equifax – (888) 766-0008

TransUnion – (800) 680-7289

On May 13, 2012, the Levin College of Law received a report that a former student found social security numbers through the college website. The University of Florida investigation discovered that in the early 2000s, the Levin College of Law (“College”) Office of Admissions purchased a software program, whereby law school applicants admitted to the College could search for a possible roommate among other law school admittees. The College added the program to its website for this purpose. To ensure only College admittees could access the matching list database, the software required the user’s Social Security Number (SSN). The program stored social security numbers in an administrative folder created by the software; neither this folder nor its contents would be visible to someone using the software or the database. While the College stopped using the software to support the matching program in the mid 2000s, the administrative folders and their contents remained on the College’s unlinked web pages and were stored on UF servers. Thereafter, the data, like all web information, has been searchable, and if located, stored in caches maintained by Google.

On Monday, May 14, 2012, the College removed the problematic web pages to make them inaccessible on the UF servers. On repeated occasions since that date, the College, the UF Privacy Office, and the UF Office of the General Counsel have each requested that Google remove the files where the SSNs were cached; as of June 19, Google removed the files. On Saturday June 9th, the LCOL migrated its entire web presence to new software, which enables us to now verify that the web server space the College is allotted will not have any restricted private data.

Documents

• Answers to Commonly Asked Questions (Updated 6/26/2012)
• Copy of letter by UF officials (PDF, 98 KB)
• Copy of letter by the Dean of the Levin College of Law (PDF, 90 KB)
• Identity Theft Brochure (PDF, 1.08 MB)

The unclaimed property could have been an overpayment to UF, a financial aid refund, a parking fine refund or other similarly unclaimed monies and may have belonged to both students and non-students. The state agency has confirmed that there are no other instances of restricted data disclosures. The University also checked information from other submitted annual reports and confirmed that no other restricted data was inappropriately disclosed. The University will follow up after submission of future reports to verify that the information has been entered correctly on the state’s website.

Documents

• Answers to Commonly Asked Questions (Updated 2/15/2012)
• Copy of letter by UF officials (PDF, 95.9 KB)
• Identity Theft Brochure (PDF, 1.08 MB)

The data was originally stored on these hard drives when the University used social security numbers to identify individuals. Since then, the University converted to UFIDs in 2004 and faculty and staff have been notified that social security numbers should not be contained on hard drives.

Documents

• Copy of letter by UF officials (PDF, 95.9 KB)
• Identity Theft Brochure (PDF, 1.08 MB)

Physics Department Server Breach

The University’s Privacy Office was notified of a privacy breach which occurred on May 2, 2002, and was discovered on March 17, 2011. Specifically, the Physics Department server was hosting files that contained former students’ Personally Identifiable Information (PII).  UF information technicians discovered the web-accessible file during a routine security check.  Some of these files were publicly accessible in Google and the information disclosed included student names, social security numbers and grades.

When these files were created, it was standard to use Social Security numbers to identify students.  As of 2003, that practice is longer used as an identifier for student academic records; faculty and staff use only secured protocols to store student data.  All files containing PII have been removed from the server and can no longer be accessed via Google.

Documents

• Copy of letter by UF officials (PDF, 104 KB)
• Identity Theft Brochure (PDF, 1.08 MB)

Florida law requires that patients be notified when their social security number is released to third parties without their consent.  Neither the STS nor its data warehouse business partner have reported any breach or other unauthorized access or disclosure of any patient information from the database.

While it is unlikely that the patient information disclosed to the STS database was subsequently disclosed to unauthorized persons or used for unlawful purposes, the University of Florida has sent a letter notifying all of the patients whose social security numbers had been disclosed to the STS national database that their information had been submitted to the database.

In 2008, the STS began collecting social security numbers to enhance their analysis of clinical data of heart surgery patients and link with information contained in other databases, such as ones maintained by the Centers for Medicare and Medicaid Services with the aim of improving patient care.  A large percentage of the heart surgery centers across the country participate in the STS database.

STS contracted with the Duke Clinical Research Institute (DCRI) to provide data warehouse and analysis services.  According to the attorney for the STS, the database warehouse contractor DCRI has exhaustive policies and procedures in place for protecting the privacy and security of patient data.

STS also allows DCRI to release the patient information to medical researchers after approval by the Duke Institutional Review Board.  According to the STS, any disclosure of patient information from the database for research purposes is in compliance with federal privacy and research regulations.

UF had a comprehensive written agreement with STS to allow STS to act on its behalf to store and analyze the patient information and provide to UF benchmarking data allowing comparison with other heart surgery centers across the nation.

According to UF policy, the release of patient social security numbers to third parties for non-routine business purposes requires approval from the University.  Despite the protections in place to protect the privacy and security of patient information in the database, the release of patient social security numbers to a national database for quality assurance purposes and possible medical research without UF prior approval was in violation of University of Florida policy.

The UF privacy office mailed the patient letters Thursday, April 7. The mailings included a brochure that outlines ways individuals can safeguard their financial information and provides a privacy office hotline number 1-866-876-HIPA if they have questions.

Documents

• Answers to Common Questions Regarding Cardiothoracic Patient Research Breach (PDF, 80 KB)
• Copy of letter by UF officials (PDF, 61 KB)
• Identity Theft Brochure (PDF, 109 KB)