U of Fla Warns Dental School Patients of Breach

In an incident that is likely to further reinforce the reputation that college networks and systems have of being notoriously insecure environments, the University of Florida Wednesday disclosed that it has notified more than 333,000 people about the potential compromise of their personal data following a system intrusion at its dental school.

The compromised data included the names, dates of birth, Social Security numbers and addresses of current and former College of Dentistry patients dating back to 1990, as well as information about dental procedures in some cases, the university said in a statement. The data had been stored unencrypted in a database on the breached server, it added. In addition to the 330,000 people who were notified, another 8,000 individuals whose current mailing addresses couldn’t be found were affected by the intrusion, according to the statement. Officials at the university in Gainesville hope those patients will learn about the data breach through media coverage of Wednesday’s disclosure.

The breach was discovered Oct. 3 while the server was being upgraded. The university said IT staffers discovered then that malware had been installed on the system from a remote location. It added that the server was “immediately disconnected” from the Internet and that stronger security controls have since been put in place. No details about the new controls were disclosed.

The university noted that the breach occurred despite what it said were several previous security measures designed to mitigate such risks, such as encrypting data while it’s in transit and strengthening firewalls and intrusion detection systems.

A university spokeswoman said that there were multiple reasons why the notifications were sent out more than a month after the breach was first discovered. Initially, IT workers and external consultants who were brought in to help needed to determine what the scope of the breach was and figure out how many people had been affected. Later, the university was asked by law enforcement officials to withhold disclosure while the breach was being investigated, the spokeswoman said. It also needed time to establish a call center and set up a Web site to handle questions from affected individuals.

The spokeswoman added that the time taken by the university was in line with Florida breach disclosure rules that require organizations to notify people about a potential compromise of their personal data within 45 days of its discovery. As is typical with most disclosures of this sort, the university didn’t identify the kind of server that was breached or specify how the intruder gained access to it. It also didn’t say when the intrusion began or how long it remained undetected.

In the wake of the discovery of the breach, the university is working to examine nearly 60,000 other computers on its campus to ensure that they aren’t similarly vulnerable to security threats, the spokeswoman said.

A list of data breaches dating back to 2005 that is maintained by the Privacy Rights Clearinghouse shows that about 60 of nearly 300 incidents reported this year were at universities. A similar list on a Web site called Educational Security Incidents pegs the number of academic breaches this year at an even higher number: 153. But it includes several incidents that happened outside the U.S.

The more notable breaches thus far this year include the following incidents:

— In April, Southern Connecticut State University notified 11,000 current and former students that their names, addresses and Social Security numbers may have been accessed by intruders who were using the school’s Web server to host an illicit site, allegedly as part of a spamming operation.

— That same month, Antioch University in Yellow Springs, Ohio, said that the failure to patch a vulnerable ERP server resulted in the potential exposure of data on about 60,000 people.

— And in March, Harvard University disclosed that the personal information of about 10,000 graduate students was exposed after unknown intruders broke into a server that contained data on individuals who had applied to the school for the 2007-2008 academic year or sought student housing.