Our Data, Our Rules: Rethinking Protections for Institutional Data

Data Breach

The headlines scream of data breaches involving universities.

Maryland: 300,000 university records with Social Security numbers Hacked

North Dakota: 291,465 student and 784 employee records taken

Virginia: 144,000 job applications illegally accessed

Delaware: 74,000 Social Security numbers stolen

Intrusions by hackers also strike close to home: Thieves stole information on 163,000 students, faculty, staff, alumni, and applicants at an Indianapolis university.

At my own university, a Student Services staffer moved data from a secure site to a public site for easier access. Records of 146,000 students were exposed for 11 months; thankfully, we detected no misuse of their data to date.

As we welcome our students back to Indiana University, our discussions increasingly turn towards security. This is crucial for those of us in the health sciences community. While protecting all data for the university is important, it is paramount for the health sciences schools. We manage the most sensitive data of all: personal medical history.

Responding to the Indianapolis breach, Fred Cate, Distinguished Professor and C. Ben Dutton Professor of Law at the Indiana University Maurer School of Law, said, “You might think your Social Security number is a secret, but it’s the worst-kept secret in the world.” You willingly give your Social Security number to doctors, financial companies, your employer, and many others. While the release of your Social Security number might result in identity theft and be terribly inconvenient, there are steps you can take to undo the damage.

However, the exposure of our most personal information – your history of sexually transmitted diseases for example – can never be undone.

While we all take steps to protect data centers, servers, databases, and desktops, security lapses are frequently due to human error. In the last year alone:

  • A breast cancer treatment center in Indianapolis mailed 63,000 letters containing information on upcoming appointments to the wrong people.
  • Thousands of paper records containing personal medical information, doctors’ notes, social security numbers, and insurance information were dumped at a public incineration site in York, Pennsylvania.
  • A break-in at offices of a billing firm for county health services in Torrance, California yielded eight laptops with medical information on almost 169,000 people.

That last event is all too common. Mobile devices are stolen or lost every day — and, increasingly, these are personal devices. In the ancient past (five years ago), we could make a reasonable attempt to control the security around devices used at work because they were purchased by the university: our devices, our rules. Read more about this thoughtful article on data breaches from Med Tech outlook magazine.