Coosa Valley News reports:
Rome police have now said that over 30 victims have been reported from an identity theft at Shorter University. Reports said that the people had their medical records stolen and have now used their information to file fraudulent tax returns. Police sad that two files medical records belonging to student athletes were taken from Shorter back in September 2014.
Investigators said that the door to the records room was not locked and was easily accessible for the suspect(s).
They added that more than 900 records could have been taken.
The theft of the student records had been discovered on September 23, 2014. Earlier this month, two students claimed to be victims of identity theft.
Keep in mind that although these are reported as “medical records,” that does not necessarily mean they are protected by HIPAA. The university’s student health services clinic is a HIPAA-covered entity, but these records do not appear to have been stolen from the clinic.
The University’s September letter to those affected explained that these were the annual physical examination records of former student athletes with some of their personal information, including dates of birth and SSN. As such, they were likely protected by FERPA, but not HIPAA.
Update: After two requests, I received Shorter University’s response to an inquiry by this blogger as to whether the records were stolen from the health services or athletic department, and whether the records were covered by HIPAA or FERPA:
We are unable to comment due to the pending litigation.