[ISN] UNCG Discovers Health Information Security Breaches; 2,500 Being Notified

From: InfoSec News <alerts_at_private>
Date: Wed, 11 Aug 2010 01:00:22 -0500 (CDT)
http://www.uncg.edu/ure/news/stories/2010/aug/breaches080910.htm

By University Relations
Contacts: Michelle Hines, (336) 334-3207
Lanita Withers Goins, (336) 334-3890

Posted 8-9-10

GREENSBORO, N.C. -- Computer security breaches at two UNCG clinics 
allowed unauthorized access to information about more than 2,500 
individuals.

The university has mailed letters to the last known addresses of those 
whose personal information was exposed and posted notices on the 
clinics’ websites. The two computers infected with malware via the 
Internet were in the university’s Speech and Hearing Center and 
Psychology Clinic.

Although the problems were discovered days apart in June, they are 
believed to be unrelated. Employees of the clinics and Information 
Technology Services have been working since then to determine what 
records were vulnerable and who might be affected. It is not known how 
long the breaches lasted before detection. Although it was determined 
that the malware would have allowed access to data on the computers, it 
is unknown whether any information was actually taken from the 
computers.

“It is our responsibility to secure the information of individuals who 
come to us for health services, and that is a responsibility we take 
very seriously” said David H. Perrin, provost and executive vice 
chancellor. “We apologize to everyone whose records were vulnerable and 
ask them to closely monitor their credit for unauthorized activity. We 
fixed the security breaches as soon as they were detected, and we have 
taken steps to minimize the potential for future breaches.”

If you believe that your personal health information may have been 
exposed by the breach at the Speech and Hearing Center and you have 
questions or concerns, please call the center’s toll-free number, (877) 
550-6012, between 8 a.m. and 5 p.m. Monday-Thursday or between 8 a.m. 
and 4:30 p.m. Friday. For more information about the breach at the 
Psychology Clinic, call the clinic’s toll-free number, (887) 550-6008, 
between 9 a.m. and 4 p.m. weekdays, beginning Wednesday, Aug. 11.

Both the Speech and Hearing Center and the Psychology Clinic have taken 
steps to better protect personal health information and to prevent 
future breaches. They have:
* investigated to determine the extent of the breaches,
* strengthened technology safeguards and administrative policies to 
  prevent future intrusions, and
* isolated computers containing personal health information from likely 
  sources of malware, such as untrusted Internet sites.

The bulk of the impacted records are in the Speech and Hearing Center, 
where a breach was found June 10 and corrected the same day. The 
compromised computer was used for billing and contained records for 
about 2,300 people who have received services from the Center since 
1997. Vulnerable data included names, addresses, social security 
numbers, dates of birth, telephone numbers, insurance companies, 
insurance ID numbers, group numbers, diagnosis codes, procedure codes 
and charges.

The problem at the Psychology Clinic, involving malware on a computer 
used to document incoming phone calls, was detected and fixed June 7. 
The vulnerable computer contained a spreadsheet with names, dates of 
birth, telephone numbers, cities of residence, whether or not callers 
had insurance and dates of contact from about 240 callers between Sept. 
20, 2006, and Sept. 22, 2009. In some cases, the spreadsheet also 
contained reference to the caller or caller’s family member as “client,” 
symptoms reported by the caller, reference to an inquiry about testing 
or evaluation, and reference to “therapist/treatment/provider and/or 
services.” No social security numbers appeared on the spreadsheet.

The Psychology Clinic computer also held 18 phone intake/client data 
forms from March 2009 through June 2010. The forms included names, ages, 
dates of birth, telephone numbers, addresses, insurance providers (if 
any), social security numbers and dates of contact. In some cases, one 
or more of the following types of information also appeared on the form: 
therapist, case number, status of previous treatment, service requested 
and description of the problem.

The university encourages individuals whose information was exposed to 
review account statements and monitor credit reports for suspicious 
activity. People may also choose to put a fraud alert on their personal 
credit files. A fraud alert asks creditors to take extra precautions to 
verify the consumer’s identity before opening new accounts or changing 
existing accounts. A fraud alert may be created by contacting any of the 
three major credit bureaus:

* Equifax, (800) 685-1111, www.equifax.com
* Experian, (800) 397-3742, www.experian.com
* Trans Union, (800) 888-4213, www.transunion.com

For more information, visit the identity theft website of the Federal 
Trade Commission at http://wvisit ww.ftc.gov/idtheft or contact the 
North Carolina Attorney General’s Office by mail at 9001 Mail Service 
Center, Raleigh, N.C. 27699-9001; by phone at (919) 716-6400; or by fax 
at (919) 716-6750.

In addition to notifying individuals as required by the Health Insurance 
Portability and Accountability Act (HIPAA), UNCG has notified the U.S. 
Department of Health and Human Services and the Consumer Protection 
Division of the North Carolina Attorney General’s office.


--
Visit InfoSec News!
http://www.infosecnews.org/
Received on Tue Aug 10 2010 - 23:00:22 PDT

This archive was generated by hypermail 2.2.0 : Tue Aug 10 2010 - 23:04:32 PDT