Educational Security Incidents (ESI)

Central Oregon Community College Web Site Offline After Dual Security Attacks

Adam Dodge — Sat, 07 May 2011 00:46:47 +0000

Quick Facts

Date: 5/6/2011
Institution: Central Oregon Community College
Type of Incident: Penetration
Number Affected: Unknown
Source: ESI
Abstract Source: KTVZ

Abstract
Central Oregon Community College recently notified users after taking the college's web site down following a two security breaches. According to notices sent by COCC officials, the web site was taken down on Wednesday and then again on Thursday following security breaches of the site on both days. While originally COCC did not believe any personal information was at risk, additional investigation showed the attacker(s) may have had accesses to 2011 COCC nursing program applicant data and 2012 COCC Foundation scholarship data. According to the notices sent to students in each of these groups, the applications did not contain credit card or Social Security numbers, but did contain email addresses and COCC ID numbers. According to the college, investigations are still ongoing to make sure no additional personal or sensitive information is at risk following the breaches. COCC is working with local and federal law enforcement during the investigation.

Error Exposes Trinity College Dublin Student Data To Campus Network

Adam Dodge — Sat, 30 Apr 2011 00:26:58 +0000

Quick Facts

Date: 4/29/2011
Institution: Trinity College Dublin
Type of Incident: Unauthorized Disclosure
Number Affected: Unknown
Source: DataBreaches.net
Abstract Source: Irish Times

Abstract
Trinity College Dublin recently announced the discovery of a file containing student and information was available to anyone on the college network. The file, which was accessible between August 2009 and March 2011, contained the names, addresses, ID numbers and email addresses of TCD students and staff. In the announcement to those affected, TCD officials stressed the fact that the file was not accessible via the Internet, only the campus network. As required by data privacy legislation, TCD reported this incident to the Data Protection Commissioner.

File Cabinet Containing Central Ohio Technical College Student Records Found At Storage Facility

Adam Dodge — Tue, 19 Apr 2011 00:33:39 +0000

Quick Facts

Date: 4/18/2011
Institution: Central Ohio Technical College
Type of Incident: Unauthorized Disclosure
Number Affected: 617
Source: ESI
Abstract Source: The Columbus Dispatch

Abstract
Central Ohio Technical College recently notified students after educational records were discovered in a file cabinet at an area storage facility. The cabinet, found at the Apple Tree Auction Center, contained course registration cards containing the names and Social Security numbers of 617 students registered for classes in Fall 2010. The cabinet was accidentally sent to storage when the college moved the Student Records office. Since January 2011, the college no longer records Social Security numbers on course registration cards. According to Central Ohio Technical College spokeswoman Alice Hutzel-Bateson, the records were back in the college's possession within 24 hours. The college is offering 12 months of free credit monitoring to those affected by this accident. Students with questions are asked to contact the college's Registrar Jackie Stewart at 740-364-9599.

Prank Results In Eastern Illinois University Data Breach

Adam Dodge — Mon, 18 Apr 2011 23:48:13 +0000

Quick Facts

Date: 4/18/2011
Institution: Eastern Illinois University
Type of Incident: Student Misconduct
Number Affected: Unknown
Source: ESI
Abstract Source: Eastern Illinois University Press Release

Abstract
Eastern Illinois University recently announced the potential exposure of sensitive information after the improper disposal of paper records. The records, contained in two bags taken by a student worker as part of a prank, contained the names and Social Security numbers of individuals employed by EIU in 2002. At this point, the university is working to identify the individuals affected. Coles County Sheriff's Department notified the university on Friday morning that coarsely shredded documents had been dumped roadside. The university responded quickly and staff were sent to find and collect the shredded documents. While the records were shredded in accordance with state guidelines, sensitive information may have been visible. The university is working to institute procedures to prevent a similar incident in the future.

NUI Galway Student Information Exposed In Breach

Adam Dodge — Fri, 15 Apr 2011 02:20:15 +0000

Quick Facts

Date: 4/14/2011
Institution: National University of Ireland, Galway
Type of Incident: Unauthorized Disclosure
Number Affected: Unknown
Source: DataBreaches.net
Abstract Source: NUI Galway Notice

Abstract
The National University of Ireland, Galway recently announced that a file containing personal student information was accidentally made available. The file contained the names, student ID numbers, email address, and mobile phone numbers of students from 2008. The data was exposed after a security issue with the NUI Galway Clubs and Societies computer housing the file and the university believes the file was accessed multiple times between September 2008 and December 2009. The university setup a hotline - 091 492852 - to help answer questions those affected might have.

[Update1]Financial Aid Computers Stolen From Albright College

Adam Dodge — Thu, 14 Apr 2011 01:33:58 +0000

Quick Facts

Date: 4/13/2011
Institution: Albright College
Type of Incident: Theft
Number Affected: 10,000
Source: ESI
Abstract Source: WFMZ
Update1 Source: Reading Eagle Press

Abstract
Albright College recently announced the possible breach of personal information following the theft of computers containing personal information. The computers, stolen from the college's Financial Aid Office in February, contained names, addresses, dates of birth, Social Security numbers and account information on as many as 10,000 current students, prospective students, former students, faculty and staff. According to Albright Vice President for Enrollment Management Gregory E. Eichhorn, the theft may also affect parents, spouses or joint account holders as well. In response to the theft, Albright Public Safety has increased evening and weekend patrols and the college's Information Technology Services are working with departments to reduce the amount of confidential information retained on desktops. The college is working with the Reading Police Department, the County District Attorney's Office and the FBI. Crime Alert Berks County has setup a hotline - 877-373-9913 - for individuals that have more information regarding the theft and is offering up to a $5000 reward for information leading to an arrest.

Update1
One of the two computers stolen from Albright College has been recovered by State Police. The suspect in the theft appears to have stolen the computers to fund a drug habit and was not after the information on the device. The recovered laptop appears to contain most of the sensitive and personal information exposed by the theft. According to Sgt. Raymond Guth, there does not appear to be any evidence that the information on the recovered drive had been compromised by the theft.

Public Records Request Exposes Wenatchee Valley College Student Information

Adam Dodge — Thu, 31 Mar 2011 11:51:05 +0000

Quick Facts

Date: 3/31/2011
Institution: Wenatchee Valley College
Type of Incident: Unauthorized Disclosure
Number Affected: 3,800
Source: ESI
Abstract Source: The Wenatchee World

Abstract
Wenatchee Valley College recently contacted former students after an error processing a public records request released personal student information. In response to a request from a local law firm for 10 years of financial records, WVC forwarded 84,000 pages of information that contained the names and Social Security numbers of 3,800 students that attended the college in 2002. The error was discovered by Brent Magarrell on March 24th. Magarrell contacted WVC about the error and also filed a FERPA violation complaint with the Department of Education.

Stolen Computer Contains NYU Langone Patient Data

Adam Dodge — Tue, 29 Mar 2011 23:29:07 +0000

Quick Facts

Date: 3/29/2011
Institution: New York University, Langone Medical Center
Type of Incident: Theft
Number Affected: 670 (2 Social Security Numbers)
Source: OSF DataLoss DB
Abstract Source: NYU Langone Medical Center Breach Notification

Abstract
New York University Langone Medical Center recently announced that patient information may be at risk following the theft of a computer from a physician's office. The computer, used for research and stolen from the NYU School of Medicine Faculty Group Practice on January 27, contained the names, diagnosis, results of diagnostic tests, and clinical information gathered during office visits on 653 patients between April 1999 and September 2008. An additional 26 letters were sent to individuals whose medical record numbers, home addresses, dates of birth, occupation and, in two cases, Social Security numbers may have been contained on the computer. A suspect in the theft has been arrested but the stolen computer was not recovered at the time. NYU Langone has setup a hotline - 1-877-698-2333 - to help provide more information to those affected by the theft.

University of Regina Web Server Compromised, No Data Exposed

Adam Dodge — Tue, 29 Mar 2011 23:20:34 +0000

Quick Facts

Date: 3/29/2011
Institution: University of Regina
Type of Incident: Penetration
Number Affected: None
Source: ESI
Abstract Source: CBC

Abstract
The University of Regina recently announced that a security breach caused the university to shutdown its main web server. The breach appeared to effect only the web site. While the server was compromised university officials state that no confidential information was accessed by unauthorized individuals. Staff had corrected the problem causing the breach shortly after discovery.

University of Kent Disability Services Email Discloses Patient Names

Adam Dodge — Fri, 18 Mar 2011 11:59:34 +0000

Quick Facts

Date: 3/18/2011
Institution: University of Kent
Type of Incident: Unauthorized Disclosure
Number Affected: 615
Source: ESI
Abstract Source: ZDNet

Abstract
The University of Kent recently responded to a mistake that exposed the personal information of students registered with the Disability and Dyslexia Support Services at the university. The email, sent to inform students of arrangement being made for final exams, contained the names of 615 students in the CC field, exposing their names, email addresses and the fact that they receive support from Disability and Dyslexia Support Services to the other students. In a second email university officials apologized for the disclosure of protected information and had reported the incident to the Office of the Information Commissioner.

University of York Web Site Leaks Data On Entire Student Population

Adam Dodge — Tue, 15 Mar 2011 02:13:07 +0000

Quick Facts

Date: 3/14/2011
Institution: University of York
Type of Incident: Unauthorized Disclosure
Number Affected: 17,904
Source: ESI
Abstract Source: Nouse - University of York's Student Website

Abstract
The University of York is apologizing after a university website may have exposed personal student information. It was recently discovered that a student inquiry screening function enabled on the University of York web site disclosed personal details such as names, mobile phone numbers, home and university addresses, dates of birth, email addresses, and emergency contact information for 17,094 undergraduate, post-graduate and part-time students. The information was available to the general public and could be retried by entering as little as initials or course information. According to Stephen Town, University of York's Director of Information, the university rectified the situation as soon as it was notified and has notified the Information Commissioner about the breach. The university apologized for the incident and has launched an investigation to fully review data security at the university.

Zeus Computer Virus Exposes Virginia Tech Social Security Numbers

Adam Dodge — Sat, 12 Mar 2011 02:31:22 +0000

Quick Facts

Date: 3/11/2011
Institution: Virginia Tech
Type of Incident: Penetration
Number Affected: 370
Source: ESI
Abstract Source: The Roanoke Times

Abstract
Virginia Tech recently notified a number of current and former employees after a computer virus may have exposed personal information. The infected computer, located in VT's controller's office, contained the names and Social Security Numbers of 370 current and former employees. The Zeus infection, which occurred on Feb 15, was discovered on Feb 23 during an audit of computers that store Social Security numbers. In the letters to those affected the university is offering 12 months of credit monitoring. According to VT spokesman Mark Owczarski, there have been no reports of identity theft relating to the breach.

University of Windsor Mailing Mixup Send Tax Slips To Wrong Addresses

Adam Dodge — Fri, 11 Mar 2011 01:09:56 +0000

Quick Facts

Date: 3/10/2011
Institution: University of Windsor
Type of Incident: Unauthorized Disclosure
Number Affected: 650
Source: ESI
Abstract Source: CBC News

Abstract
The University of Windsor recently sent out notification letters after a mailing mixup exposed personal information. The university's Finance Department sent out 650 T4 tax slips, containing names, Social Insurance Numbers, and financial information, that were addressed to the wrong recipients. After discovering the mistake, the university sent out email messages and letters as well as placed phone calls to the recipients of these 650 tax slips and have received around half of them back. Executive Director of Communications Holly Ward said the university plans to increase communication efforts to get the rest of the 650 tax slips back.

Stolen Midlands Tech Flash Drive Contains Personal Information

Adam Dodge — Fri, 11 Mar 2011 00:36:52 +0000

Quick Facts

Date: 3/9/2011
Institution: Midlands Technical College
Type of Incident: Theft
Number Affected: 500
Source: DataBreaches.net
Abstract Source: The State

Abstract
Midlands Technical College recently notified employees after the theft a flash drive containing sensitive information. The flash drive, stolen from the college's human resource office, contained HR data on 500 employees. The flash drive was later returned to the college, but it did not contain any of the information that was on the drive when it was stolen. According to Midland's Director of Human Resources and Legal Counsel Crystal Rookard the individual responsible for taking the drive indicated they did not open or view any of the files on the drive. As a precaution, Midlands is offering one year of credit monitoring to affected employees.

[Update1]Former Eastern Michigan University Student Workers Investigated For Providing Personal Information To Third Party

Adam Dodge — Thu, 10 Mar 2011 00:49:06 +0000

Quick Facts

Date: 3/9/2011
Institution: Eastern Michigan University
Type of Incident: Employee Fraud
Number Affected: 64 (Updated)
Source: DataBreaches.net
Abstract Source: The Eastern Echo
Update1 Source: Detroit Free Press

Abstract
Eastern Michigan University is notifying students after investigating inappropriate student records access by former student workers. The individuals under investigation appear have to inappropriately used their access records containing the names, dates of birth and Social Security numbers to provide the information of 45 students to an unauthorized third party. The EMU Police are investigating the incident with assistance from Federal authorities and EMU is not in a position to disclose details. The individuals affected have been advised to place fraud alerts on their credit reports and the university has plans to notify the campus community when it is in a position to do so.

Update1
Eastern Michigan University has identified 58 individuals whose information was accessed without authorization by two former student workers. In addition, 6 students have come forward after unable to file Income Tax Returns since someone had already used their Social Security numbers on other returns.

[Update1]UMass Amherst Health Service Breach Exposes PHI of 942 Individuals

Adam Dodge — Thu, 10 Mar 2011 00:20:39 +0000

Quick Facts

Date: 3/9/2011
Institution: University of Massachusetts Amherst
Type of Incident: Penetration
Number Affected: 942
Source: ESI
Abstract Source: Health Data Management
Update1 Source: UMass Press Release

Abstract
The University of Massachusetts Amherst began notifying individuals on March 7 after an investigation concluded a breach placed protected health information at risk. The breach, which involved a malware infection on a workstation that could have allowed unauthorized access, involved the names, insurance information, medical record numbers, medication information, physician information, pharmacist information and prescription history of 942 UMass Amherst Health Center patients. UMass staff became aware of the breach on October 28, 2010 and launched an investigation that was finished on Feb 1, 2011. The investigation discovered that the breach initially occurred on June 30, 2010. When asked about the 60 day notification requirement, the university believes it is in compliance since the notification was made less than 60 days after the investigation was concluded. A UMass spokesperson said the university feels the best process is to advise individuals to monitor their accounts and credit reports for unauthorized activity and will not offer free credit protection. Internally, UMass has implemented several steps to help increase security including installing automated software to detect unauthorized activity, increased staff training and will improve the identification of personal information on departmental computers.

Update1
For more information, here is a link to the UMass Press Release.

Stolen USB Drive Contained Information on Current, Former Western Michigan University Students And Staff

Adam Dodge — Wed, 09 Mar 2011 01:29:46 +0000

Quick Facts

Date: 3/8/2011
Institution: Western Michigan University
Type of Incident: Theft
Number Affected: Hundreds
Source: ESI
Abstract Source: WWMT, mLive.com

Abstract
Western Michigan University recently began sending out notifications after a staff member discovered a USB drive was missing. The drive, used for backups in an unnamed WMU department, contained the names, addresses, student ID numbers and Social Security Numbers on hundreds of current and former faculty, staff and students. The drive was discovered missing on January 25 and, according to WMU spokesperson Cheryl Roland, the university is not sure if the drive was stolen or lost. The individuals affected by this incident have been offered 12 months of free credit monitoring. WMU's Public Safety department has investigated the incident but were unable to locate the missing drive.

UMass Notifies Patients After Infection May Have Exposed University Health Services Records

Adam Dodge — Mon, 07 Mar 2011 11:40:29 +0000

Quick Facts

Date: 3/7/2011
Institution: University of Massachusetts Amherst
Type of Incident: Penetration
Number Affected: 942
Source: DataLoss DB
Abstract Source: Health Data Management, University of Massachusetts News Release

Abstract
The University of Massachusetts recently notified individuals after staff discovered malware on a computer containing protected health information. The computer, used in UMass's University Health Services, contained the names, health insurance company and medical record numbers on 942 UHS patients. In addition, the computer contained the prescription information, including medication, pharmacist, quantity, length of prescription and physician between Jan 2009 and Nov 2009 for these patients. The computer was originally infected in June 2010 and was corrected by the end of Oct 2010. A follow up investigation did not find any evidence that the protected health information was copied. In the letter, UMass officials advise affected individuals to monitor their health insurance information for any unusual activity but believes the likelihood of problems to be very low. UMass has responded to the incident by increasing training of UHS staff, installing automated software to discover malware infections and increasing efforts to discover protected information on desktops and workstations.

University of South Carolina Breach Affected Thousands At All Eight Campuses

Adam Dodge — Sat, 05 Mar 2011 00:15:17 +0000

Quick Facts

Date: 3/4/2011
Institution: University of South Carolina, Sumter
Type of Incident: Penetration
Number Affected: 31,000
Source: ESI
Abstract Source: The Post and Courier, The State

Abstract
The University of South Carolina recently notified individuals that their personal information may have been exposed during a January 2011 security breach. The notices were sent to 31,000 faculty, staff, students and retirees at all eight University of South Carolina campuses after the breach of a server that is used by USC campuses to share data and information. The university does not have any evidence that personal information was accessed during the breach. The affected server was taken offline within two hours of discovering the breach in January. However, notices did not go out until all individuals potentially affected had been identified on March 1. According to USC spokeswoman Margaret Lamb, the university has addressed the issue, notified the individuals affected and provided these individuals with information on how to protect themselves from identity theft. It is not clear how the breach occurred, but according to Lamb the cause was human error.

Updated to correct typos. Special Thanks to Allison Dolan for pointing out the error. - Adam

Flinders University Employee Abuses Access, Steals $27 Million

Adam Dodge — Fri, 04 Mar 2011 13:08:24 +0000

Quick Facts

Date: 3/4/2011
Institution: Flinders University
Type of Incident: Employee Fraud
Number Affected: N/A
Source: ESI
Abstract Source: Sydney Morning Herald

Abstract
A Filnders University cashier recently admitted to stealing over $27 million from the university. Christopher Wayne Fuss plead guilty to the charge he abused his position to falsify banking and financial records to steal $27,354,903 between 2008 and 2010. Fuss used two passwords to move the stolen money to different bank accounts including a personal account, the accounts of a few associates and even to a share trading account. Fuss used the money to purchase a $50,000 stake in a basketball team, donate $48,000 to a charity for the homeless and purchase a $1.7 million home. Fortunately Flinders University was able to recover more then $20 million and the expected shortfall of less then $1 million will not have any impact on the university being able to deliver programs.

Google Indexes Missouri State University Students Social Security Numbers

Adam Dodge — Fri, 04 Mar 2011 00:42:16 +0000

Quick Facts

Date: 3/3/2011
Institution: Missouri State University
Type of Incident: Unauthorized Disclosure
Number Affected: 6,030
Source: ESI
Abstract Source: News-Leader

Abstract
Missouri State University is working to notify students after personal information was discovered online. Nine lists containing the names and Social Security numbers of 6,030 College of Education students enrolled between 2005 and 2009 were posted to an unsecured server that allowed public Internet access. The lists were initially uploaded between October and November 2010 as part MSU's College of Education accreditation review. The lists were eventually indexed by Google which allowed the contents to show up as part of Google searches. According to Chief Information Officer Jeff Morrissey MSU is taking this breach very seriously and hopes the steps taken by the university will help prevent and misuse of the information. Thus far MSU has:

Removed the lists from the public web server and worked with Google to remove the information from Google's systems
Contacted all 6,030 individual affected and offered identity theft protection at a negotiated rate of $7/person (~$42,210 total)
Notified the Missouri Attorney General of the breach as required by state law
Initiated disciplinary action against the employee that posted the information to the unsecured server
Begun working with all college deans to ensure that policies and processes in place to secure university information are being followed

Imperial College Users Forced To Change Passwords Following Server Breach

Adam Dodge — Fri, 25 Feb 2011 12:48:21 +0000

Quick Facts

Date: 2/25/2011
Institution: Imperial College London
Type of Incident: Penetration
Number Affected: Unknown
Source: ESI
Abstract Source: Live!

Abstract
The Department of Computing at Imperial College London recently warned staff and students that all users will need to change their passwords following a server breach. The breach affected a linux server at the college that is used in the network login process. In response to the breach, college staff shut down two servers, "shell1" and "shell2", and sent a notice to users that everyone will need to change their passwords by 5PM GMT on February 25, 2011. Users that fail to changes their passwords by this deadline will have their accounts locked and will not be allowed to access any college services.

St George's University of London Server Breached

Adam Dodge — Wed, 23 Feb 2011 00:29:32 +0000

Quick Facts

Date: 2/22/2011
Institution: St George's University of London
Type of Incident: Penetration
Number Affected: N/A
Source: ESI
Abstract Source: Guardian News

Abstract
St George's University of London and the London Metropolitan Police have launched separate investigations into the breach of a St George's server that occurred in mid-February. Unknown individuals breached a database server run by St George's University of London medical school and used the access to send out a number of offensive email messages to users. One of the email messages claimed database was "closed due to Aids" and another claimed the St George's Administrative Board was involved with child pornography sting. The Primary Care Electronic Library (PECL) database is an online directory for doctors and nurses and does not contain any medical or sensitive information.

Chapman University Discovers Personal Information Online

Adam Dodge — Wed, 23 Feb 2011 00:16:35 +0000

Quick Facts

Date: 2/22/2011
Institution: Chapman University, Brandman University
Type of Incident: Unauthorized Disclosure
Number affected: 13,000
Source: ESI
Abstract Source: LA Times

Abstract
Chapman University has begun notifying students after a document containing personal information was discovered online. The document, discovered by a Chapman student, contained the names, Social Security numbers, student ID numbers and financial aid information on 11,000 current and former Chapman University and Brandman University students as well as information on 2,000 applicants. The student immediately reported the file to Chapman officials. The file apparently was accidentally moved to the insecure folder. The investigation also found that the student who reported the file was the only individual to access the information according to Chapman spokesperson Mary Platt. As a precaution, Chapman is offering credit monitoring services to those affected by this incident.

[Update1]Saginaw Valley State University Web Server Shutdown By Attack

Adam Dodge — Mon, 14 Feb 2011 12:20:19 +0000

Quick Facts

Date: 2/7/2011
Institution: Saginaw Valley State University
Type of Incident: Penetration
Number Affected: N/A
Source: ESI
Abstract Source: WNEM
Update1 Source: Saginaw Valley Journal

Abstract
Saginaw Valley State University recently sent a notice to students following an attack on the university's web site. An unknown individual was able to gain access to the web server and used it send out large amounts of spam over several days. According to SVSU Executive Director of Information Technology Services Ken Schindler, there is no evidence that the attacker attempted to gain access to any other SVSU system. There was no personal or protected information on the web server but the campus was notified about the incident since the university's web site was taken offline to give staff time to repair the server.

Update1
Saginaw Valley State University are still working to upgrade the SVSU web server following the breach. According to SVSU Executive Director of Information Technology Services Ken Schindler, it appears that the hackers gained access through two security holes, one in a student organization's web page and the other in the content management system used on the server. One of the causes for the delay is the changes in latest version of the content management system which renders parts of the SVSU "unacceptably broken". To help get the web page back online, SVSU has engaged Cast Iron Coding at an hourly rate of $125. Overall, Schindler is pleased with the way his staff has responded to the breach despite comments from the SVSU community questioning the performance of ITS staff. According to an SVSU spokesperson, the breach of the web server has not affected SVSU President Eric Gilbertson's confidence in Schindler.

Solano Community College Hacking Investigating Uncovers Large Fraud Scheme

Adam Dodge — Fri, 11 Feb 2011 12:06:38 +0000

Quick Facts

Date: 2/11/2011
Institution: Solano Community College
Type of Incident: Penetration
Number Affected: Unknown
Source: DataBreaches.net
Abstract Source: Solano Tempest
Abstract
Solano Community College recently alerted students after discovering attempts to alter the college's financial aid website. According to Solano Community College Chief of Police Steven J Dawson, it does not appear that any students were affected by this fraud. While the investigation is still on-going, Dawson did state they are now aware of a "fairly large" student financial aid loan fraud scheme. There is at least one person of interest in the investigation but Dawson declined to identify this individual.

University of Washington Medical Records Sold At Surplus Furniture Store

Adam Dodge — Thu, 03 Feb 2011 11:28:22 +0000

Quick Facts

Date: 2/3/2011
Institution: University of Washington
Type of Incident: Unauthorized Disclosure
Number Affected: 17 (via PHIPrivacy.net)
Source: PHIPrivacy.net
Abstract Source: KING5

Abstract
KING5 was recently contacted by an individual that obtained University of Washington medical records while purchasing surplus furniture. The information is stored on 19 DVDs and one paper record and is comprised of mostly X-ray and MRI images of spines. KING5 Allen Schauffler was able to trace Vicki Goetz, whose name, along with phone number, was on a post-it note attached to a DVD. According to Goetz, she was a patient of the UW Bone and Joint Center and had two different surgeries there before finding another doctor. UW has stated that they are not sure how these files could have been left in surplus furniture but offers apologies to everyone affected. A UW spokesperson also said the university is reviewing policies and procedures and will work to tighten things up.

University of Iowa Staff Fired, Suspended After Inappropriate Records Access

Adam Dodge — Thu, 03 Feb 2011 06:00:00 +0000

Quick Facts

Date: 2/3/2011
Institution: University of Iowa
Type of Incident: Employee Fraud
Number Affected: 13
Source: ESI
Abstract Source: Press-Citizen

Abstract
University of Iowa officials have taken access against five staff members for their involvement in unauthorized access to hospital records. Three staff members have been fired and two have been suspended without pay for five days for inappropriately accessing the medical records of 13 UI football players being treated for rhabdomyolysis. Citing federal privacy laws, UI has not named the individuals involved, the information accessed or how the information was used.

Hundreds of East Carolina University Higher One Cards Affected By Breach At Local Store

Adam Dodge — Wed, 26 Jan 2011 12:24:05 +0000

Quick Facts

Date: 1/26/2011
Institution: East Carolina University
Type of Incident: Penetration
Number Affected: Hundreds
Source: ESI
Abstract Source: WNCT, WCTI 12

Abstract
Hundreds of East Carolina University students that used their ECU issued Higher One debit and credit cards at the University Book Exchange in mid-January have reported unauthorized charges following a breach of the UBE's systems. The fraudulent charges are for a wide range of goods and services mostly around the Los Angeles area. Don Edwards, owner of UBE, said they do not know how this happened but are studying the situation. While the investigation is still ongoing, UBE has implemented additional security measures to help protect customer data. Fortunately for ECU students, all Higher One cards have zero liability protections so students are not responsible for fraudulent charges.

Wentworth IT Student Information Posted Online

Adam Dodge — Tue, 25 Jan 2011 00:30:00 +0000

Quick Facts

Date: 1/24/2011
Institution: Wentworth Institute of Technology
Type of Incident: Unauthorized Disclosure
Number Affected: 1,300
Source: PHIPrivacy.net
Abstract Source: WCVB

Abstract
Wentworth Institute of Technology is notifying current and former students after personal information was discovered online. According to the letter, the information found online included the names, Social Security numbers, dates of birth, allergies, medications, medical conditions and disability information on 1,300 current and former students. According to WIT spokesperson Jamie Kelly, the information was placed online by mistake and could only be found through a "targeted search" of the WIT website.

Special Thanks to Dissent from PHIPrivacy.net, DataBreaches.net and PogoWasRight for letting ESI know about this incident - Adam