Outdated Student Health software causes security breach
Aetna Health Insurance procedures also not followed
More than 18,000 students received an informational brochure from Aetna Health Insurance earlier this month which inadvertently included their social security numbers above their names on the address labels. The error was the result of an outdated computer program used exclusively by the University’s Department of Student Health to gather data from the Student Information System, University spokesperson McGregor McCance said in an email.
The mailing was sent to all incoming and returning students, McCance said.
The social security numbers and address information were transferred from the University to Aetna Health Insurance, the company which the University partners with to offer students insurance plans. This transfer was made through a secure electronic medium, McCance said.
That information was subsequently transferred to Aetna’s third-party mail vendor through a similarly secure format, Aetna spokesperson Cynthia Michener said in an email.
The University has been phasing out the use of student social security numbers since 2009, as part of an initiative to increase security. The computer program used by Student Health to gather the data from SIS was still in use from before this initiative, McCance said.
“[Student Health’s] program was not updated as it previously should have been to prevent gathering of the SSNs,” McCance said. “This has now been corrected to prevent a reoccurrence.”
Aetna protocol was also not followed in this instance, Michener said. “Aetna’s standard protocol with the vendor is to review samples of the mail before a mailing goes out,” she said. “That procedure was not followed [by the vendor] in this circumstance. However, this mail vendor does business for Aetna, and as such, we share the responsibility for this mailing.”
Michener said the company reviewed its procedures and is working to ensure similar oversights will not happen in the future. “We also are instituting additional internal, Aetna protocols to detect and purge unnecessary data fields from files received from student health customers,” she said.
Aetna’s mail provider shipped out the pamphlets on July 3, and the University was made aware of the problem when a student contacted them on July 11, McCance said. The University aims to begin sending letters to students to inform them of the problem on Friday, and they have also established a call center for those with concerns about the issue, McCance said.
The number for the call center will be provided in the letter sent to affected students, said Dr. James Turner, executive director of student health, in an email to students sent Thursday evening.
The letter will also provide a number for students to register for a free one-year credit monitoring service, Turner said. “The service will detect possible misuse of personal information and provide identity protection service,” he said.