Data Breach Claims Scenarios: Education

Details

Educational Institutions that have taken the appropriate measures before a breach event occurs can minimize the damage. Here you will find some recent examples of Educational Privacy claims scenarios.

Cornell University (Ithaca, NY) – Names and Social Security numbers of nearly 2,000 people associated with Cornell were publicly available for five days. The information was on a computer in Cornell's athletics department and was accidentally placed online.
Source: Media

University of Georgia (Athens, GA) – The passwords of 2 UGA IT employees were reset and misused by a hacker. Names, Social Security numbers, and other sensitive data of current and former school employees (8,500 students in all) may have been exposed.
Source: Media

Multi-University Breach (United States & International) – The University of Texas, University of Colorado, University of Pennsylvania, Duke University, Rutgers University, University of Pittsburgh, University of Florida, Case Western Reserve University, Texas A&M University, Boston University, Purdue University, University of Arizona, Arizona State University, University of Utah, and additional universities were affected. Universities outside of the United States were also affected. A hacking group called Team GhostShell targeted universities around the world. A total of 53 universities were affected. Most of the data exposed was publicly available, but student, staff, and faculty usernames and passwords were also exposed. It is unclear if any financial information or Social Security numbers were taken from universities.
Source: Databreaches.net

Yale University (New Haven, CT) – Hackers accessed at least one Yale database and obtained the details of 1,200 students and staff.  Hackers may have obtained names, Social Security numbers, addresses, and phone numbers. Additionally, usernames, passwords, and email addresses were published as proof of the hack.
Source: Databreaches.net

Grimmer Middle School (Schererville, IN) – A hacker or hackers accessed faculty and staff usernames, email addresses, and passwords. The information was then posted online.
Source: Dataloss DB

Housatonic Community College (Bridgeport, CT) – Two campus computers were determined to have been infected by malware. The breach occurred when a faculty or staff member opened an email that contained a virus. Faculty, staff, and students affiliated with the school between the early 1990's and the day of the breach – an estimated 87,667 people – may have had their names, Social Security numbers, dates of birth, and addresses exposed. Housatonic's president acknowledged that the cost of handling the breach could be as much as $500,000.
Source: Dataloss DB

Columbia University (New York, NY) – A programmer erroneously saved an internal test file onto a public server in January 2010.  Current and former employees had their names, Social Security numbers, addresses, and bank account numbers available on the internet from January 2010 until April of 2012. A total of 3,000 current and former employees were affected, but an additional 500 sole proprietors were also affected. 
Source: Dataloss DB

Holy Family University (Pennsylvania) – A hacker accessed the database information of Holy Family University and posted the information online. The leaked data included a table with 12 usernames and encrypted passwords. Proprietors were also affected. 
Source: Dataloss DB

Contact us so we can help you find out potential exposures and security coverage gaps.

Never say never: No organization is immune to cyber security threats.

Details

September saw the release of the much anticipated Deloitte Security Study. 40% of the 46 major insurers have suffered at least one security breach in the last year according to Deloitte's 2012 Global Financial Services Industry Security Study. As a result, Cyber Security has become a top priority for the financial services industry.

Betty Shepherd, Vice President and Cyber, Security & Privacy expert at S.H. Smith & Company notes, "With the continued growth of data breaches experienced by financial institutions, we should see a continued growth in the need for cyber risk insurance in this industry segment."

Read the full '2012 DTTL Global Financial Services Industry Security Study' by clicking here.

S.H. Smith & Company employs the absolute brightest and most experienced Cyber, Security & Privacy experts in the industry so that you do not have to. We have been placing Cyber, Security & Privacy liability since its inception; in fact, some of the most widely used Cyber, Security & Privacy policies were conceived and written by our in-house experts. When it comes to underwriting trends, we set them rather than follow. Contact one of our Cyber, Security & Privacy experts to learn more about our full spectrum of capabilities.

New Ponemon Institute Study addresses Small Healthcare Organizations and Data Security

Details

Small healthcare organizations are obligated to protect patient health information and comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA), as well as other healthcare regulations. Organizations, such as physician & dentist offices, home healthcare services, clinics and nursing care facilities, are exposed to these regulations and failure to comply with HIPAA or other regulations can result in steep fines that can cripple a small healthcare organization.

The Ponemon Institute conducted a study, sponsored by MegaPath, to understand the problems faces by small healthcare organizations and their attempts to safeguard “personal information” and “patient health information”. The Data Security in Small Healthcare Organizations study surveyed over 700 IT and Administrative employees in organizations with 250 or less employees. Below are some of the key findings of this recent study:

• 91% have had at least one data breach and 23% say their organizations experienced at least one patient medical identity theft incident
• 70% of respondents agree that their organizations do not have or are unsure their organizations have sufficient funding to achieve proper governance, risk management and compliance requirements
• 35% of respondents say no one person has overall responsibility for protecting patient health information
• Patient information is most often in paper documents as opposed to electronic storage
• Governance and control procedures are considered more effective than the technologies the currently use
• 48% of respondents say less than 10% of their organizations' budget or annual spending is dedicated to data security technologies

This study clearly indicates that data breaches are prevalent in smaller healthcare organizations and they are in need of improved data protection and risk management in order to be in compliance with the various data protection regulations. In addition, it would be important for these organizations to consider transferring some of the risk to a Cyber/Privacy Insurance policy to provide them with the protection they need in order to comply with breach notification laws and potential regulatory fines for non-compliance.