Hacker accessed 7,000 patient files at IU sleep clinic --- R. Joseph Gelarden & Terry Horne --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Original Source: http://www.indystar.com/print/articles/2/026103-7472-009.html

Hacker accessed 7,000 patient files at IU sleep clinic
Author: R. Joseph Gelarden & Terry Horne

Officials warn those affected to watch for identity theft; medical data was untouched

Thousands of patients of Indiana University's Center for Sleep Disorders are being urged to keep a close eye on their financial affairs after officials discovered a computer break-in that might have compromised personal information.

IU School of Medicine officials say an automated probe slipped into a center computer in late November after new software was installed. The hacker might have wandered around the center's files, which contain sensitive information such as names, Social Security numbers, home addresses and dates of birth.

The break-in was discovered Jan. 3, according to the school's chief information officer, Vince Sheehan. University officials have notified the 7,000 patients who have attended the sleep center in the past 14 years.

The letters, sent Feb. 12, warned of possible identity theft.

Sheehan said it took six weeks for the university to send letters to patients because some older records did not contain up-to-date address information.

While the hacker's program was able to roam through patient identification files, it was not able to gain access to detailed medical information, Sheehan said.

"It was possible (the hacker) found out the patients had attended the sleep disorder programs, but (the program) did not enter the detailed patient medical files," he said.

Sheehan, the school's associate dean for medical technology, said his was one of the names included in the files because he has been tested at the sleep center. So far, he has not found any instances in which his data has been misused.

But he urged other patients to keep a close eye on their credit reports.

IU School of Medicine spokesman Joe Stuteville said the university has no evidence any identities were stolen or even that the hacker downloaded any files.

After learning of the breach, the university notified the FBI and removed the infected computer from the university network.

The sleep center incident is the third breach of IU's cyber systems in more than two years.