TMCnet News
Hackers steal OU medical records: Third theft at school compromises data of 60,000 people(Columbus Dispatch (Ohio) (KRT) Via Thomson Dialog NewsEdge) May 12--Somewhere out there, computer hackers have the intimate details of the health problems and medical care of every student treated at the Ohio University health center in Athens. Hackers also found Social Security numbers, addresses and dates of birth of more than 60,000 current and former students and others while rummaging in a computer serving the Hudson Health Center. The discovery of the third data-theft case to afflict OU since April 23 was announced to students via e-mail yesterday as officials renewed warnings to be on the lookout for identity theft and fraud. The latest illegal access to OU computer servers, discovered May 4 and also being investigated by the FBI, compromised the privacy of medical records. The database held details of the complaints, diagnoses, treatment, prescriptions and physician notes on students and employees who visited the health center, OU officials said. However, the hackers might not be able to match medical records with individuals, said Bill Sams, OU's associate provost for information technology and chief information officer. The software split patient identification information, appointment schedules and medical records into three digitized chunks that can't be reunified without a series of codes, he said. But hackers emerged with at least the ID section intact, bringing to nearly 200,000 the number of OU alumni, students and others whose Social Security numbers and other identifying information have been pilfered. Hackers previously tapped an alumni database of more than 300,000 names and a server containing information on research and patent information that OU wants to commercialize. Fewer than a dozen people whose information was lifted from the alumni records have complained of identity theft and fraud, Sams said. The latest breach was discovered when the system was found infected with a virus, Sams said. It had been hacked two days earlier, he said. "We know a large amount of data was moved out," he said. The software vendor said its product met federal requirements mandating the privacy of medical information, Sams said. U.S. Health and Human Services Department officials reported they would investigate to determine whether federal privacy laws were violated. In addition to all current Athens students, the healthcenter computer contains information on everyone treated there since fall 2001, including Athens-campus students and a small number of regional campus students and faculty and staff members. Information on patients who used counseling and psychological services did not include clinical records, which are kept only on paper, officials said. OU is sending e-mails and letters to those whose information was taken. Stephanie Orbon, 20, a second-year OU student from Irvin, Pa., was alarmed by the latest breach. "I assumed it was secure, but apparently not. It appears they need to do a better job," she said. An audit of OU computer systems, which is being conducted to improve security and detect any other hacking that might have occurred, should be finished within 10 days, Sams said. Three OU officials have been placed on paid administrative leave to help ensure a "full and fair" audit, OU spokesman Jack Jeffery said. The action is not disciplinary, and the employees are not suspected of wrongdoing, he said. Duane Starkey, director of computer services; John Beam, assistant director of computer services; and Steve Ray, server administrator, were suspended Friday. For information on protection against identity theft, visit www.ohio.edu/datasecurity or call 1-800-901-2303. [email protected] |