Data pain: University of Florida warns 333,000 dental school patients of breach

Computerworld - In an incident that is likely to further reinforce the reputation that college networks and systems have of being notoriously insecure environments, the University of Florida yesterday disclosed that it has notified more than 333,000 people about the potential compromise of their personal data following a system intrusion at its dental school.

The compromised data included the names, dates of birth, Social Security numbers, and addresses of current and former College of Dentistry patients dating back to 1990, as well as information about dental procedures in some cases, the university said in a statement. The data had been stored unencrypted in a database on the breached server, it added.

In addition to the 330,000 people who were notified, another 8,000 individuals whose current mailing addresses couldn't be found were affected by the intrusion, according to the statement. Officials at the university in Gainesville hope that those patients will learn about the data breach through media coverage of yesterday's disclosure.

The breach was discovered Oct. 3 while the server was being upgraded. The university said IT staffers discovered then that malware had been installed on the system from a remote location. It added that the server was "immediately disconnected" from the Internet and that stronger security controls have since been put in place. No details about the new controls were disclosed.

The university noted that the breach occurred despite what it said were several previous security measures designed to mitigate such risks, such as encrypting data while it's in transit and strengthening firewalls and intrusion-detection systems.

A university spokeswoman said that there were multiple reasons why the notifications were sent out more than a month after the breach was first discovered. Initially, IT workers and external consultants who were brought in to help needed to determine what the scope of the breach was and figure out how many people had been affected. Later, law enforcement officials asked the university to withhold disclosure while the breach was being investigated, the spokeswoman said. It also needed time to establish a call center and set up a Web site to handle questions from affected individuals.

The spokeswoman added that the time taken by the university was in line with Florida breach disclosure rules that require organizations to notify people about a potential compromise of their personal data within 45 days of its discovery.