The university on Oct. 28 found a malware infection on a workstation hard drive and corrected it. A subsequent investigation, which ended on Feb. 1, 2011, determined the infection occurred on June 30 and that patient notification was required, a spokesperson says. Data at risk included patient names, insurer names, medical record numbers, medications, physician names, dispensing pharmacist names, quantity and length of prescriptions.
The breach notification rule requires organizations to notify affected patients of a breach within 60 days of discovery. The university's interpretation is that the 60-day clock started on Feb. 1 when the investigation ended and believes it is in compliance with the rule, the spokesperson says.
The university is not offering free credit protection services to affected patients, a service that organizations often provide but certainly is not universal and is contingent on the level of threat of credit fraud or identity theft. University attorneys "concluded the best process was to advise people to closely monitor their potential transactions and to be vigilant," the spokesperson says.
Since the breach, the university has taken a number of steps to increase data security. These include improved training of system administrators, installation of automated software to detect malicious activity, increased efforts to identify files in departmental computers containing personal information, and additional staff training in security practices, according to a statement.