UW Oshkosh Connected

facebook.pngtwitter.pngSubscribe to me on YouTube

 
You are here: Home > Computer Security

Computer Security

Information on Computer Security Incident at University of Wisconsin Oshkosh Living Healthy Community Clinic 

Below are some of the questions we've anticipated or received about the recent computer security incident that may have exposed records of some current and former patients of the UW Oshkosh Living Healthy Community Clinic. 

 

Frequently Asked Questions

 

1. Is this letter I received, dated Aug. 26, for real? Yes. The letter was sent by the University of Wisconsin Oshkosh. The university wanted to inform those potentially affected by a security incident that may have exposed records containing their names, Social Security numbers and medical information.

 

2. When did UW Oshkosh become aware of the incident? The University learned of the installation of malware on July 25, and immediately shut down the computer affected, isolated it and began to investigate. During the course of the investigation, we discovered that files containing names, social security numbers and medical information were included in the exposed computer. 

 

3. What actions were taken when the university discovered the incident? We immediately shut down the computer and reassessed the clinic's computer security. The University launched a collaborative investigation with UW System staff to determine the source and extent of the security breach. 

 

4. What type of information was on the infected computer? The infected computer included files that contained approximately 3,000 instances of personal identifying information including names, Social Security numbers and medical information of clinic patients. However, the investigation found no indications that data had been taken. 

 

5. What exactly is malware? According to the Department of Homeland Security website, malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior. 

 

6. Was the information stored in a way that it could be compromised and potentially misused? The information was stored on a secured computer, but even the most secure systems can be infected. The investigation found that the computer's antivirus software successfully identified malware that could have allowed unauthorized access on or about the same day the infection occurred. 

 

7. How could this have happened? Some of these malware attacks are targeted, but many are automated and occur randomly throughout the Internet. Our investigation suggests this incident was not the result of a targeted attack. Even the most secure systems can be infected. As a result, security is a moving target and requires constant improvement. 

 

8. Do we know if any personal information has been misused? There is no evidence that the malware attained your personal data in the compromised computer or that it has been retrieved. However, we wanted to make you aware of the incident, suggest steps you could take to monitor your financial information and let you know what we have done to prevent this from happening in the future. 

 

9. Do we have any idea who is behind the malware attack and/or if the system was compromised? As with many such incidents, the investigators were not able to identify those who gained access. The university's investigators theorize the motive was not identity theft, and could find no evidence of attempts to download names, social security numbers or other information. The investigation suggests it was not a targeted attack. 

 

10. What steps did the university take before contacting me? The university launched its collaborative investigation not long after isolating the affected computer and contacting UW System information technology experts. The investigation got underway to determine the source and extent of the security breach. Once we received the investigators' report, we were able to identify and start notifying those who may have been affected and provide additional resources to further protect their information. 

 

11. In comparison to other breaches, how damaging/serious is this? There are many other breaches larger than this one. Although, we have no evidence that anyone's personal information was retrieved or that any information was misused, at UW Oshkosh we take all security incidents seriously. 

 

12. Was this incident reported to the authorities? The university has and is reporting the incident to all local and federal agencies, including law enforcement entities, as it is required to under state and federal laws. These rules require a swift and thorough response, and we are following them closely. 

 

13. Is there anything I should do now to protect my identity and personal information from being misused? It's recommended that everyone monitor their financial information by: 

  • Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities. 
  • Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account. 
  • Request a free credit report and carefully inspect your own credit scores. 

 

14. Does this mean any other information I've provided the Living Healthy Community Clinic or UW Oshkosh could be accessed? Am I at higher risk for this happening again? We have no evidence that anyone's personal financial information was retrieved or that any information was taken and misused. Since learning of this issue, the university has updated the security on the system to assure better protection from such attacks. 

 

15. Shouldn't the university be offering free credit monitoring? We have no evidence that anyone's personal information was retrieved or that any information was misused. However, it is recommended that everyone should monitor their financial information by: 

  • Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities. 
  • Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account. 
  • Request a free credit report and carefully inspect your own credit scores. 

 

16. How can I be sure this type of incident won't occur again? The University has updated the security on the computer to ensure better protection from attacks. Because of the numerous and continuous efforts by unauthorized individuals to access information stored on the internet or computers, security continually needs to be upgraded and improved. The University's investment in information security technology on campus has been strong. UW Oshkosh also daily strives to educate students, faculty and staff about the safe, smart and vigilant use of technology connected with our institution. 

 

17. What should I do if I have further questions? Contact:

Nick Dvoracek

Director of Learning Technologies and Interim Chief Information Officer 

University of Wisconsin Oshkosh 

Phone: (920) 424-7363 

dvoracek@uwosh.edu 

 

18. Where do I get additional information regarding credit agencies and resources? Here are some resources for more information on protecting personal information: 

 

We are sorry for any concern or inconvenience this incident may cause you. Information security is a matter UW Oshkosh takes very seriously. Throughout the institution, we work hard to incorporate the most effective technology to protect personal information from security threats and to make all users of our computers and systems aware that they are part of the proactive solution. 

 

Back to Top of Page 

 

How to Protect Your Personal Information 

After any security incident involving personal information, it's a good idea to monitor your credit report. Federal law entitles you to a free copy of your credit report once every 12 months from each of the three major credit reporting agencies – that's one free every four months. To request this information, call toll-free 877-322-8228 or go to www.annualcreditreport.com

You may also contact the three major credit reporting agencies directly to get a copy of each report. You may also get a free copy of your report if it is inaccurate because of suspected fraud. The toll-free numbers are: 

  • Experian: 888-397-3742 
  • Equifax (CSC): 888-766-0008 
  • Trans Union: 800-680-7289 

 

Other things you can do to protect against identity theft are: 

  • Place a fraud alert on your credit report by contacting the credit reporting agencies. 
  • Subscribe to a credit monitoring service. Most of the credit agencies offer this service for a fee. 
  • Place a security "freeze" on your credit report if you are sure you have been a victim of attempted identity theft. 
  • Report suspected identity theft to the Federal Trade Commission (FTC) at: https://www.ftccomplaintassistant.gov

 

Other resources that may be helpful in preventing or responding to identity theft are: 

 

Back to Top of Page 

 

Statement on Living Healthy clinic computer security incident 

August 26, 2011 

The Living Healthy Community Clinic operated by the College of Nursing at the University of Wisconsin Oshkosh recently experienced a computer security incident that may have exposed records containing the names, addresses, Social Security numbers of individuals who received services at the clinic and health records of a smaller group of such individuals. 

On July 25, 2011, University technology staff members found evidence of a computer virus on a desktop computer at the clinic. The computer was removed from the network, and a forensically sound image of the computer's hard drive was analyzed by the UW-Madison Office of Campus Information Security. Analysis determined that the desktop computer contained approximately 3,000 instances of personal identifying information, but there was no indication that any data had been taken. 

The investigators have not been able to identify those who gained unauthorized access, but it appears that this was not a targeted attack, since the same virus has been found in unrelated computers in other areas of the state. While there is no proof of any attempt to download the names, addresses, Social Security numbers or health records from the desktop computer that was compromised, we wish to inform those people who had records stored on the desktop computer. 

UW Oshkosh is in the process of individually contacting affected clinic patients to inform them of the nature of the security incident, the steps taken to thoroughly investigate it, the efforts put in place to address future security concerns in this area, and resources that are available to protect personal information and prevent identity theft. These resources can be found at http://www.uwosh.edu/go/security

The University takes the protection and integrity of data very seriously, and its recent investment in information security technology has been one of its most robust in years. "The recent threat, those that have emerged at other UW System institutions, and those that daily challenge universities and businesses large and small around the country are reminders of the need for safe computer use throughout an organization's culture," said Nick Dvoracek, UW Oshkosh director of learning technologies and interim chief information officer. 

"UW Oshkosh has strong policies, protocols and programs in place that not only protect sensitive information but also empower computer users to be part of the security solution," Dvoracek said. "As we approach a new academic year, this recent security concern reinforces our commitment to continue educating students, faculty and staff about the smart, safe, vigilant use of technology connected with our institution." 

 

Lane Earns 

Provost and Vice Chancellor 

 

Back to Top of Page 

Copyright 2013 The Board of Regents of the University of Wisconsin System

Powered by Plone
log in