University Breach Leads Roundup235,000 Affected by Storage Vulnerability
In this week's breach roundup, Western Connecticut State University is notifying about 235,000 students and others that their personal information was exposed online. Also, Alere Home Monitoring in Waltham, Mass., reports that about 116,000 patients were affected by a breach involving a stolen laptop.
See Also: Rethinking Endpoint Security
235,000 Affected by University Breach
Western Connecticut State University is notifying about 235,000 students and others that their records were exposed due to a storage system vulnerability.
The compromised information includes names, addresses, Social Security numbers and/or financial account information provided in association with transactions with the university, officials announced in an online FAQ.
Files containing personally identifiable information that were kept in the storage system were "stored in a manner that may have allowed unauthorized users to access the files in question from April 2009 to September 2012," the university said.
Upon discovering the problem, the university launched an investigation in cooperation with local police and notified the Connecticut Attorney General's office.
The university has found no evidence that records were inappropriately accessed, but is offering up to two years of free identity theft protection to those affected, according to a statement.
As a result of the breach, the university said it has added unspecified layers of protection. Plus, it will continue assessing and improving all aspects of its information security program.
Stolen Laptop Compromises Patient Info
Alere Home Monitoring in Waltham, Mass., is notifying about 116,000 individuals of a breach after an unencrypted company-owned laptop containing sensitive information was stolen from an employee's locked vehicle.
Alere provides home testing products and services for patients.
Compromised information includes names, addresses, dates of birth, Social Security numbers and diagnosis codes, company officials say.
Affected individuals will be notified about the incident and offered free credit monitoring services for one year. Alere is also notifying news media in "certain states," although it did not specify which ones.
As a result of the breach, Alere is deploying encryption to laptops that connect to its computer network and is providing additional education to staff.
The incident has been posted on the Department of Health and Human Services' Office for Civil Right's list of breaches affecting 500 or more individuals.
Unencrypted Device Exposes Personal Data
The University of Virginia Medical Center and Continuum Home Infusion are notifying almost 2,000 patients after an unencrypted Palm device used by on-call pharmacists went missing around Oct. 5.
Continuum Home Infusion offers home health care, infusion, pediatric and psychiatric services.
Patient information stored on the device includes names, addresses, diagnoses, medications and health insurance identification numbers that, in some instances, are Social Security numbers, the company says.
A spokesperson for UVA Medical Center said 1,846 patients were affected. Although it's believed the device was lost and not stolen, a police report was filed.
Patients whose Social Security numbers may have been on the device will receive free credit monitoring for one year.
Patients Affected by Missing USB
Christus St. John Hospital in Houston is notifying an undisclosed number of patients who participate in the St. John Sports Medicine program that an unencrypted USB drive containing sensitive information has gone missing.
Information on the USB includes patient names, dates of birth, health insurance information, Social Security numbers, diagnoses and progress notes, according to a statement on the hospital's website.
The patients affected were treated from Jan. 1, 2011, to July 1, 2012.
Data Stolen on UK Civil Servants
More than 100,000 UK civil servants and public sector workers are being notified that their personal information was stolen in an attempt to defraud the government.
Members of the Civil Service Sports Club, a not-for-profit organization that promotes health in the workplace, were told that their names, addresses, dates of birth and National Insurance numbers were stolen from a central computer database, according to a report on the Telegraph newspaper's website.
The compromised information was then used to commit fraud aimed at stealing money from the UK government, the report said.