IU center's computers breached by hacker
By Terry Horne
February 28, 2003
About 7,000 patients of the Indiana University Center for Sleep Disorders have been notified that confidentiality of their Social Security numbers and other personal information has been compromised by a hacker who broke into the center's files last year.
Indiana University School of Medicine spokesman Joe Stuteville said IU computer technology employees discovered Jan. 3 that someone had hacked into a center computer on Nov. 27.
Stuteville said the hacker didn't gain access to patient medical files.
However, the computer did contain sensitive information, such as name, Social Security number, home address and date of birth, which an identity thief could use.
Stuteville said the university has no evidence any identities were stolen or even that the hacker downloaded any files. The hacker left a computer program probe that was attempting to use the center's computer as a jumping off place to enter other university computers.
Stuteville said the university's computer experts believe the probe did not succeed.
The university immediately notified the FBI and removed the breached computer from the university network, preventing any further outside access.
On Feb. 12, the university also sent out letters apologizing to patients and alerting them to carefully scrutinize their credit card statements and other bills. Stuteville said it took the university several weeks to compile an accurate mailing list.
Stuteville said the letter to patients provided a Federal Trade Commission toll free number where they can get additional information on identity theft. The number is 1-877-438-4338. It also included the address of a Web site -- www.consumer.gov/idtheft/ -- that has similar information.
Patients also were given a number at the sleep disorder center, which is located at Indiana University Hospital, to obtain more information. Stuteville said the center has received about 270 calls so far. The toll-free hotline is 1-866-367-6507.
Call Star reporter Terry Horne at 1-317-444-6082.
Hacker accesses patient information
By Annie Posick | Assistant News Editor
Spokesperson says there is no way to tell whether data was downloaded.
Computer experts at the IU School of Medicine discovered Jan. 3 that a hacker had broken into one of their computers at the Center for Sleep Disorders on November 27.
IU School of Medicine spokesman Joe Stuteville said a software package that had been installed on the computer might have enabled the hacker to break in.
The computer contained personal information from about 7,000 sleep study patients, including names, addresses, social security numbers and dates of birth. Personal medical history was not accessible, Stuteville said. A letter was sent out to the patients on Feb. 12 telling them about the computer breach and strongly encouraging them to review their credit card and other bill statements.
Theres no way to determine if any information was downloaded, Stuteville said. We dont think there was, but we dont know.
Computer experts believe the hacker left a computer program probe that could allow access to other university systems through the centers computer.
Stuteville said the hacker never got beyond the computer in the sleep center.
He said as soon as the breach was noticed, information technologists shut down the computer to prevent entry to other computers in the lab.
Since then, additional security has been added to the network and to the center. Stuteville said an outside security company has also been hired to scan the entire School of Medicine network for any other vulnerabilities.
We believe the problem has been fixed, he said.
Stuteville said the School of Medicine regrets any concern or inconvenience that patients may have experienced.
Jim Brown, associate dean of the IU School of Journalism at Indianapolis, was one of the patients who received a letter. He said this security break could be a huge inconvenience if anyones identification has been stolen. Brown believes the breach could have been avoided had the center used a different identification number.
Why are they using social security numbers when they could use something else?
Brown said when students check out equipment from the journalism school, he uses their OneCard number instead of their student identification number, which is usually their social security number.
I dont want that number sitting on a computer in my office, he said.
Brown believes social security numbers are widely overused for identification. He said he refuses to use his social security number for his drivers license and he is assigned a random identification number.
Why couldn't the medical school have done that?
Stuteville said confidentiality is a paramount concern to everyone at the School of Medicine.
Patients may call 1-866-367-6507 with any questions they may have for the School of Medicine.
Stuteville also provided a toll free number for the FTC for anyone who may be concerned about identity theft. Patients may call 1-877-438-4338 or visit the Web site at www.consumer.gov/idtheft/.