President creates task force to investigate social security number scandal
Outdated software leads to inadvertent break in cybersecurity; students tackle private information security issues
University President Teresa Sullivan announced to faculty and staff on July 22 the creation of a task force following the inadvertent leak of more than 18,000 students’ social security numbers.
The incident occurred after outdated software used by Student Health gathered the numbers along with student names and addresses and sent the data to Aetna Student Health, the organization providing students health insurance when purchased through the University. Informational brochures were sent to all incoming and returning students, and those with social security numbers in the Student Information System had the unidentified digits printed just above their names on the address labels.
The task force is comprised of representatives from the offices of Internal Audit, Student Affairs, Compliance, and Enterprise Risk Management.
The University announced the completion of the first phase of the task force’s work on Aug. 2. Members analyzed the incident and instituted policies to prevent a recurrence, including a software update and a requirement for future Aetna health plan information to be sent to eligible students via email, according to a University press release.
Fourth-year College student Neil Branch, Student Council’s Vice President for Organizations, sent Executive Vice President Patrick Hogan and University President Teresa Sullivan an email asking for increased student input on the University’s approach to the security of personal information.
The administration ultimately agreed to add a student member to the task force, and after a discussion between Council President Eric McDaniel, a fourth-year College student, and Pat Lampkin, vice president for student affairs, third-year Engineering student Jalen Ross, Council’s director of university relations, was nominated to serve as the student representative.
McDaniel, who is standing in for Ross on the task force until Ross returns to Charlottesville, joined after the task force had completed its first phase.
“My role is to be a student voice and student advocate in this process,” McDaniel said. “That has entailed responding to how students have been perceiving this … [and] generally adding a student viewpoint to the conversation.”
The goal of the task force is both to review the incident itself, and to work on preventing similar breaches from occurring in the future, McDaniel said.
McDaniel said the task force will release a report once its work is completed detailing the steps the University has taken to ensure the future security of students’ personal information.
“The task force is a holistic review to make sure this doesn’t happen again,” McDaniel said.