The University of Texas at Arlington recently learned that one of its file servers had been compromised, which potentially exposed the prescription records of approximately 27,000 individuals to an unauthorized source.

Federal and state authorities have been notified, including the U.S. Department of Health and Human Services, the Texas Department of Information Resources, The University of Texas System, and law enforcement officials.

There is no evidence to suggest that the compromised information is being used in an unauthorized manner as a result of this incident.

On June 21, 2010, the UT Arlington Office of Information Technology detected that data on a file server that contained Student Health Center prescription records had been compromised on four occasions: February 19, 2009; April 28, 2009; January 23, 2010; and February 10, 2010. The records dated from 2000 to June 21, 2010, and involved individuals who received a prescription or filled a prescription at the Student Health Center.

The file server in question was immediately taken offline and secured. The compromise was determined to be limited to that single file server. No other servers at the University were affected.

An extensive internal review of the matter has revealed that prescription records for approximately 27,000 individuals — including students, faculty, and staff — were potentially exposed to an outside source. In addition, records for 2,048 of the 27,000 affected individuals included Social Security numbers.

The information that may have been exposed also included names, addresses, prescription names, amount spent, and diagnostic codes. The data stored in the records did not contain credit card information or any other medical records.

To assist those who may be affected, UT Arlington has implemented the following measures:

• The University has established a Data Information Call Center to help answer questions about this incident. The telephone number is 800-913-3055. The call center is open seven days a week, 8 a.m. to 11 p.m., Central Standard Time (CST).
• Although it is possible that approximately 27,000 individuals may have had their data exposed, the University has mailed letters to all 21,554 individuals whose information was potentially exposed and for whom it had sufficient contact information. Since it is not possible to send notification letters to the remainder of those individuals for whom contact information was incomplete or unavailable, the University is using alternate methods to notify them.
• The University has mailed letters to the 2,048 individuals whose Social Security numbers may have been exposed and is offering them free credit monitoring for up to one year.
• Anyone who received a prescription or filled a prescription at the Student Health Center between 2000 and June 21, 2010 — and who does not receive a notification letter from UT Arlington by July 28, 2010 — may call the Data Information Call Center at 800-913-3055 for further information.
• This website has been created to provide the latest information related to this incident.

Additionally, the Federal Trade Commission offers resources for anyone who suspects he or she may be the victim of identity theft. The website is at www.ftc.gov/bcp/edu/microsites/idtheft/.