Patients Notified of Sleep Lab Computer Breach

February 28, 2003

Indiana University

On Jan. 3, it was discovered that a single computer in the Center for Sleep Disorders laboratory at the Indiana University School of Medicine had been illegally breached by an outside, unauthorized source. A software package supplied by a vendor inadvertently opened a security hole on this particular machine. The computer stores information on approximately 7,000 sleep-study patients.

The Information Technologies office at the School immediately took steps to secure the data on the computer and to prevent additional unauthorized entry to that computer or any others within the laboratory.

The patients whose names, addresses, Social Security numbers and dates of birth were stored on the computer have been notified and advised to take precautionary measures to assure that their records have not been compromised.

Information Technology officials at the School said there is no way to determine if any of the personal patient information was downloaded.

As a precautionary measure, patients whose records were involved in the breach have been encouraged to carefully review future credit card and similar bills, and in general to be watchful for unusual activity with financial implications. Also, the Federal Trade Commission has an ID Theft Website at The FTC also has a toll-free Identity Theft Hotline at 1-877-IDTHEFT available from 9 a.m. to 7 p.m. ET for the filing of ID theft reports or for access to a consumer counselor.

As part of the ongoing security strategy the IU School of Medicine has taken the following steps: * Additional security blocks have been placed on the perimeter of the network. * An outside security company has been contracted to scan the entire School’s network and identify and fix any additional vulnerabilities it finds. * The School is actively recruiting a security officer who will create ongoing policies and procedures and monitoring mechanisms to further secure the environment. * In the last six months the school has trained more than 2,000 employees in privacy and security regulations.

The IU School of Medicine regrets any concern and inconvenience to patients caused by the breach. Patient confidentiality remains a paramount concern among all physicians, health-care staff and supporting administration staff at the School.

main page ATTRITION feedback