Security breach upsets UF clients

George Baldacchino has received two letters from the University of Florida's privacy office over the past three years, neither of which contained good news.

In 2005, he was informed that a laptop was stolen containing his personal information along with the records of more than 3,800 patients at Shands at the University of Florida.

Last week, he was informed that a hacker accessed a computer server with his information and the records of more than 344,000 other patients at the College of Dentistry.

"They aren't doing enough to protect their clients' information," said Baldacchino, a Gainesville business consultant. "Life is stressful enough."

UF records show 15 privacy breaches occurred in the year prior to the latest incident. They range in size from a prospective student's UF application that was accidentally viewed by another applicant to the posting of more than 11,500 students' personal information on a Web site.

While data security breaches are common for all institutions, universities comprise fewer than 5 percent of those incidents, said Rodney Petersen, security task force coordinator for Educause. The nonprofit promotes the intelligent use of information technology in higher education.

Petersen said three to five incidents in the last couple years is a typical number for a large university.

"Having incidents in the double digits is probably larger than usual," he said.

Most of UF's previous breaches have been relatively small and involved human error, said Kyle Cavanaugh, UF senior vice president for administration.

The university works to prevent breaches through measures such as training, regular scans of systems and limiting the use of Social Security numbers, he said.

"We prefer to have zero [but] we're always going to have some level of vulnerability," he said.

The most recent breach was discovered Oct. 3 when College of Dentistry staff members were upgrading a computer server. They discovered that a hacker had accessed the server, which contained dental procedure information, Social Security numbers and other personal information from current and former patients.

"The level of sophistication was pretty high," Cavanaugh said. "This was not your run-of-the-mill hacker."

While some portion of the information was accessed, he said, there's no indication that all of it was taken.

Alachua resident Carol Jones was one of the patients whose information was exposed. She received a letter from UF informing her of the breach on Nov. 12, the same day the information was released to the media.

"I was not happy that it took them five weeks to notify us and the next day it was in the newspaper," she said.

UF Health Science Center spokeswoman Melanie Fridl Ross said the time was needed to take steps such as identifying the patients in the records, determining their contact information was correct and contracting with a company to mail notification letters to them.

Under state law, UF has 45 days following the discovery of a breach to send notifications.

While UF lacked addresses for another 8,248 patients, letters were mailed Monday to alert 336,234 patients about the breach. Ross said the names were checked against two tiers on U.S. Postal Service forwarding addresses, but at least one letter went to the wrong Gainesville address.

A hot line, 1-866-783-5883, also was established for patient questions. More than 10,250 calls had been received in the call center by the end of Thursday, Ross said.

The incident is the latest in a seemingly endless stream of security breaches around the world. Hackers are constantly scanning the Internet for security weaknesses, said Joe Cosmano, directory of engineering at the Orlando-based data center and service provider Atlantic.Net.

Institutions can address the problem by encrypting data, installing intrusion detection systems and regularly scanning computers for malicious content, he said.

"A lot of it is preventable," he said. "A lot of it comes down to limiting access" to people who are not versed in proper security measures.

Petersen said another issue is that technology allows information to be put on devices from laptops to personal digital assistants. Encrypting information is one solution, he said, but the technology is still maturing and "just adds another layer of complexity."

UF officials reported that the dental college breach involved unauthorized software that had been installed on the server from outside the university. The FBI and University Police are investigating the incident.

The dental college server has been upgraded, according to officials. Another 60,000 computers are being screened to ensure appropriate safeguards are in place to prevent breaches.

"Certainly our goal is to have zero," Cavanaugh said. "We take every one of these serious."

But Baldacchino said he's lost confidence in UF. He said he'll no longer be a patient at any clinic operated by the university to try to avoid his information from being exposed again.

"They screw up, and they take zero responsibility," he said.