Encarnacion Pyle reports:
Ohio State University Medical Center has notified 30 patients and 150 students that a hacker might have accessed their names, medical information and/or Social Security numbers.
Officials said there is no indication that any personal information was taken or that the incident has resulted in identity theft, but they are providing 12 months of free credit-monitoring services as a precaution.
“It seems that a hacker from a foreign country tried to get into an Internet server, but it doesn’t appear as though they got any patient information or personal information for any of our current or former students,” said David Crawford, a medical-center spokesman.
Read more on The Columbus Dispatch.
It’s interesting that it was the state that notified them of a problem involving a pathology department server. I wonder how the state became aware of it. And why the medical center hadn’t been aware of it on its own. It’s also troubling that it took an extensive forensic analysis for them to realize that the server contained two databases of personal information that should not have been on that server. If you don’t know you’ve got personal data on a server, are you as vigilant in protecting the server? How did the databases get there? I hope OSU figures this out – and that they implement a thorough audit/investigation of all servers to determine what else might contain personal data that is not supposed to be there. Consider this:
One contained the names, medical-record numbers and diagnoses of 30 people who had been patients of the pathology department from the late 1980s to 2004. The other was a roster of students who had trained at the medical center in 2006. The list included the students’ names and Social Security numbers.
These were old data. They could have remained there forever without any awareness on OSU’s part – ripe for hacking.
OSU is clearly not the only medical center to have this type of situation and I don’t want to point a finger at them as if they are somehow more lax in security than any comparable center. But I do think it highlights some of the risks and why periodic and thorough audits are needed.