The University of Texas at Arlington has prepared these frequently asked questions as a resource for individuals who may be affected by the recent compromise of one of its file servers.
Q: What happened?
A: The University of Texas at Arlington
recently learned that one of its file servers had been compromised, which
potentially exposed the prescription records of approximately 27,000
individuals to an unauthorized outside source.
Q: Whose data was potentially compromised?
A: An
extensive internal review has revealed that prescription records for
approximately 27,000 individuals — including students, faculty, and staff —
were potentially exposed to an unauthorized outside source.
Q: When did the data compromise happen?
A: On
June 21, 2010, the UT Arlington Office of Information Technology detected that
data on a file server that contained Student Health Center prescription records
had been compromised on four occasions:
February 19, 2009; April 28, 2009; January 23, 2010; and February 10,
2010.
Q: What kind of information was stored on
the file server?
A: The records dated from 2000 to June 21,
2010 and involved individuals who received a prescription or filled a
prescription at the Student Health Center. Among the information that may have been
exposed were names, addresses, prescription names, amount spent, and diagnosis
codes. Additionally, 2,048 of the
records contained Social Security numbers.
Q: Did
the data that was potentially exposed include Social Security numbers or credit
card information?
A: A total of approximately 27,000
individual records were potentially exposed.
Of those, a total of 2,048 records included Social Security numbers. No
credit card information or any other medical records were stored on the file
server.
Q: Has
the University notified individuals whose records may have been exposed?
A: Yes.
The University has mailed letters to all 21,554 individuals whose information
was potentially exposed and for whom it had sufficient contact
information. It is using alternate
methods to notify the remainder of those individuals whose contact information
was out-of-date or incomplete.
Q: Is
the University providing credit monitoring for individuals whose Social
Security numbers may have been exposed?
A: Yes.
The University has contracted with Equifax to provide one year of free
credit monitoring services for individuals whose Social Security numbers may
have been exposed. Those individuals
have been mailed letters detailing how to access and activate the credit
monitoring services.
Q: Is
there any evidence that the compromised information has been used in an
unauthorized manner?
A: No.
There is there is no evidence to suggest that the compromised
information is being used in an unauthorized manner as a result of this
incident.
Q: Have
law enforcement authorities been notified?
A: Yes.
The incident has been reported to law enforcement officials.
Q: What
if I suspect I have been the victim of identity theft?
A: The University has contracted with Equifax
to provide one year of free credit monitoring services for individuals whose
Social Security numbers may have been exposed.
Those individuals have been mailed letters detailing how to access and
activate the credit monitoring services.
Additionally, the Federal Trade Commission offers resources for anyone
who suspects he or she may be the victim of identity theft. The website is at www.ftc.gov/bcp/edu/microsites/idtheft/
Q: Is
there someone I can call if I have questions?
A: The University has established a Data
Information Call Center to help answer your questions about this incident. The telephone number is 800-913-3055. The call center is open seven days a week, 8
a.m. to 11 p.m., Central Standard Time (CST).
Q: Were any other file servers or data
compromised?
A: No. The data compromise was determined
to be limited to one file server. The
file server in question was immediately taken offline and secured. No other servers at the University were
affected.
Q: Were
academic records, such as grades and transcripts, affected?
A: No.
The data compromise was limited to a single file server. No other servers at the University were
affected.
Q: What
is the University doing to ensure that other sensitive data is secured and to
minimize the risk of this happening again?
A: The University takes very seriously its
responsibility to safeguard records. Therefore, UT Arlington is engaged in an
ongoing and careful review of its information technology security protocol and
other policies and procedures to ensure that every effort is being taken to
comply with the best security practices in the industry and to minimize the
risk of a similar incident ever happening again.
Q: Did
this data compromise affect any data for other UT System institutions?
A: No.
The incident was limited a single file server at UT Arlington.
Q: Have
federal and state authorities been notified?
A: Yes. Federal and state authorities have been
notified, including the U.S. Department of Health and Human Services, the Texas
Department of Information Resources, The University of Texas System, and law
enforcement officials.