UF officials notify dental patients of computer breach
November 12, 2008
GAINESVILLE, Fla. — University of Florida officials have notified about 330,000 current and former dental patients that an unauthorized intruder recently accessed a College of Dentistry computer server storing their personal information.
The breach was discovered Oct. 3, while college information technology staff members were upgrading the server and found software had been installed on it remotely.
Information stored on the server included names, addresses, birth dates, Social Security numbers and, in some cases, dental procedure information for patients dating back to 1990.
While there is no evidence the intruder has used any confidential information stored on the server for fraudulent purposes, letters were sent to patients via the U.S. Postal Service to alert them. The mailings included a brochure listing preventive steps they can take to obtain copies of their credit reports and to avoid identity theft or other illegal uses of their personal data.
A hotline, 1-866-783-5883, has been established to field patient inquiries.
“It’s unfortunate that like many large institutions we were targeted. We work hard to continually fine-tune our security protections, and maintaining our patients’ trust and confidence is of utmost importance,” said Teresa Dolan, dean of the UF College of Dentistry. “We cannot stress enough how seriously we take this matter. As soon as we learned of this situation, we launched an investigation and implemented additional safeguards designed to protect personal information. We urge patients to take the preventive steps we’ve outlined, and want to express our dismay at the inconvenience this occurrence may cause anyone.”
An additional 8,248 patients had data stored on the server, but current mailing addresses could not be identified for them. The university is notifying the national media in an attempt to reach them. Most of the patients are from Florida.
FBI and University Police Department officers are investigating the data security breach, with the full cooperation and support of the university and the College of Dentistry.
When the breach was discovered, IT staff immediately disconnected the server from the Internet to cut off the intruder’s access. The system has since been rebuilt with even more stringent security controls.
In recent years, UF has added and strengthened firewalls and intrusion detection systems, encrypted data flows containing sensitive information, and increased vigilance in identifying threats and securing servers.
“Despite these efforts, this illegal user was able to gain access to the server,” Dolan said.
UF officials are in the process of screening up to 60,000 additional computers from around campus to ensure appropriate safeguards are in place to protect the information stored on them.
“Our university, as with any university or college, is constantly under attack by people trying to find and exploit potential weaknesses in our IT security defense mechanisms,” said Charles E. Frazier, UF’s interim chief information officer. “It is a sophisticated and never ending ‘cat and mouse’ battle in which sometimes the mouse wins. Our IT teams are particularly vigilant in their work, understanding the importance of protecting the information on UF’s data systems and the importance of those records to our educational mission.”
For more information, please go to www.privacy.ufl.edu.