A tip of my cap to Jai Vijayan of Computerworld, who in the process of digging into the second recent University of Florida breach realized that the university had had a third breach in the past three months that hadn’t made the media.
Three breaches in three months sounds pretty bad, but it sounds even worse when you consider that in November 2008, Nathan Crabbe of The Gainesville Sun had discovered that the University of Florida had had 15 breaches in the year prior to the November incident in which a hacker accessed the records of 344,000 patients at the university’s College of Dentistry. In that case, the records on the hacked system went back to 1990. In the more recent incident affecting 97,000, records on the “Grove” computer went back to 1996.
So now the count seems to be 18 breaches in 18 months. At what point does someone say “enough is enough?” Because the U.S. Dept. of Health & Human Services (HHS) does not publicly reveal its investigations, it is unknown whether the university was ever investigated for breaches involving patient data. But what about the U.S. Department of Education? The DOE has the statutory authority to cut off all federal funds to a post-secondary institution for FERPA violations under some restricted conditions. They have never cut off funds to any institution as far as I can recall, and it is somewhat doubtful whether a pattern of repeated security breaches involving protected education records would meet the conditions under which they might cut off funds. It may surprise some readers to learn that FERPA does not even require that a covered entity notify individuals if their has been a breach of their protected information, merely that the institution make a note of the unauthorized disclosure in case the student or parent should ever inquire.
So how many strikes before they’re out or face some additional penalties? There may be no limit.