The Breach Blog: University of Florida breach affects adolescent girls

The Breach Blog, from FRSecure

University of Florida breach affects adolescent girls

Date Reported:

7/6/10

Organization:
University of Florida

Contractor/Consultant/Branch:
Department of Epidemiology and Health Policy Research
ICF Macro
Renaissance Printing

Location:
Multiple

Victims:
"adolescent girls"

Number Affected:
2,047

Types of Data:
"Social Security or Medicaid identification numbers"

Breach Description:
"GAINESVILLE, Fla. — University of Florida officials have notified 2,047 people that their Social Security or Medicaid identification numbers were included on address labels affixed to letters inviting them to participate in a research study."

Reference URL:
University of Florida Announcement
The Gainesville Sun

Report Credit:
University of Florida

Response:
From the online sources cited above:

University of Florida officials have notified more than 2,000 adolescent girls that their Social Security or Medicaid identification numbers were mistakenly printed on address labels sent on letters inviting them to take part in a research study.
[Evan] As you read on, you will probably agree that this breach is not likely to lead to identity theft, but the fact that adolescent girls are involved really bugs me. At some point, we really need to explore changes to how we track people. A single number used globally for identification and authentication (Social Security number) just doesn't work.

The letters were mailed May 24 to the parents of the girls seeking their participation in a study about human papillomavirus, or HPV, vaccination.

After the problem was discovered June 6, UF officials said that they launched an investigation and notified state and federal officials of the breach.

Officials said they have no indication that the information has been used in identify theft or for other unlawful purposes.

"We think the risk is pretty low of that happening, but we wanted to take all the appropriate steps" to notify the potential study participants of the breach, said Melanie Fridl Ross, a spokeswoman for UF's Health Science Center.
[Evan] It's the right thing to do.

The study was conducted through the UF College of Medicine's Department of Epidemiology and Health Policy Research.

The letters were sent to parents or guardians of girls listed in a statewide database to seek their participation in a telephone survey.

The study included girls ages 11 to 17 who had received the HPV vaccine and a control group of girls ages 9 to 17 who had not been vaccinated.

The numbers on the labels were supposed to have been randomly generated. Instead, the labels included 647 Social Security numbers and about 1,400 Medicaid numbers, in both cases preceded by an alphabetical character with the hyphens omitted, according to UF.
[Evan] The fact that the Social Security numbers were somewhat obscured does reduce the risk of bad things happening. Unfortunately the risk is still higher than if the numbers were not used at all.

The research firm, Burlington, Vt.-based Macro International Inc., plans to destroy the information and sign legal documents indicating the task has been completed, UF reported.

The Gainesville-based printer that produced the mailing labels, Renaissance Printing, has reported already doing so.

UF sent information to study subjects about steps they can take to safeguard their financial information. Anyone with questions can call the UF Privacy Office hotline at 1-866-876-HIPA.

Commentary:
Breaches that affect kids are very disturbing. Don't mistake the fact that this is actually a breach, even if misuse is not imminent.

I never feel comfortable with sending sensitive information in the mail, even if the information is completely enclosed in an envelope. A person with bad intentions can easily intercept mail and use the information contained inside for evil deeds. Tampering with U.S. Mail service is a federal crime, but since when do criminals care about breaking laws?

Past Breaches:
Numerous

Posted by Evan Francen at 7/8/2010 12:17 AM