University of Virginia students’ Social Security numbers no longer are downloaded in a central database, the school will halt sending health mailers to students and a “particular query” that pulls information from the database no longer will be used, school officials announced Friday.
Those moves came as part of a recently completed first phase of a review being conducted by an information security task force appointed by UVa President Teresa A. Sullivan after insurance brochures were mailed to 18,700 students bearing their Social Security numbers along with addresses.
UVa learned of the mistake July 11, eight days after Aetna Student Health’s third-party vendor shipped the open-enrollment mailers. The university notified students of the error by email and followed up with a mailed letter, offering students a year of free credit counseling at the university’s expense.
University spokesman McGregor McCance said in a news release Friday that the task force has taken “immediate steps to analyze what occurred, mitigate the situation and prevent a recurrence.” He called that action “phase one” of the task force’s work.
School officials say a program used to mine information from a central database inadvertently pulled the Social Security numbers along with the addresses forwarded to Aetna. The insurer has said protocol stipulating that information on mailers be checked prior to delivery through a third-party vendor was not followed.
McCance said Social Security numbers that were listed in the database have been removed.
McCance wrote that future communications about Aetna health plans will not be sent by mail and the task force has asked departments to handle student communication by email or to be certain that mailers don’t contain “unnecessary personal information.”
McCance said the task force’s second phase of work would include looking to broader solutions for securing the personal information of students, faculty, staff, patients and vendors. He said the task force would review where information is collected and stored and determine whether the school should enhance existing security policies.
Chief Operating Officer Pat Hogan is the chairman of the task force. Members include representatives from the offices of internal audit, student affairs, compliance and enterprise risk management, human resources and information security. McCance wrote that the task force would add UVa Medical Center officials and student and faculty representatives in the near future. He said the group would have about 10 members.