Thursday, August 03, 2006

Crash into Me

An update on the Ohio University data breach and what is being done--- after the horse has left the barn, of course:

The network still remains offline, pending the result of an audit to determine if the rebuilt network is compliant with the Health Insurance Portability and Accountability Act.
It is not known if the network prior to the breach adhered to HIPAA guidelines, because the U.S. Department of Health and Human Services, which enforces HIPAA compliance, has a policy against commenting on possible investigations.
When the system does come back online, Hudson will no longer store social security numbers with the student information, said Jackie Legg, Hudson business manager.
The Hudson breach, which was discovered May 4, compromised the Social Security numbers of all students enrolled since Fall Quarter 2001 and certain faculty and university employees.

A big part of the sloppiness seems to have resulted from higher-ups ignoring repeated requests from IT personel for help with an inadequate system. Now, instead of an ounce of prevention, the university will have to spend up to 5.5 million dollars on a cure.

No comments: