WSU hard drive theft potentially impacts 1 million people
A hard drive containing the personal data of about 1 million people was stolen from Washington State University in April. The university began notifying those impacted last week.
The university discovered a locked safe that contained the hard drive was stolen from a WSU storage unit in Olympia in April. The hard drive contained backup files of the Social and Economic Sciences Research Center.
The stolen data is from survey participants and contained names, Social Security numbers and, for some, personal health data. The breach is not yet posted on the Department of Health and Services’ Office of Civil Rights breach site.
[See them all: 10 stubborn cybersecurity myths, busted]
The data came from school districts, community colleges and other organizations across the state.
WSU immediately launched an investigation and internal review and also contacted law enforcement. The university began notifying those affected on June 9 and established a dedicated call center. Those affected are being offered one year of free credit monitoring.
“I deeply regret that this incident occurred and am truly sorry for any concern it may cause our community,” WSU President Kirk Shulz said in a statement. “The University is taking steps to help prevent this type of incident from happening again.”
“These steps include strengthening our information technology operations by completing a comprehensive assessment of IT practices and policies, improving training and awareness for University employees regarding best practices for handling data and employing best practices for the delivery of IT services,” he said.
Phil Weiler, WSU vice president of communications, told Seattle National Public Radio station KUOW that police have closed the case and have not identified the suspect.
"The challenge is an individual may not know that his or her data was on that hard drive because they're not aware that the school district might be doing these multi-year studies, so that's why it's important for us to be able to send letters to individuals," said Weiler.
The event highlights the need to not only keep backup data offline -- but to encrypt all data. OCR fined Children’s Medical Center of Dallas for $3.2 million in February for a lack of encryption. The hospital had two thefts: one unencrypted BlackBerry in 2010 and an unencrypted laptop in 2013.