ORONO, Maine — A data breach of computers at the University of Maine’s counseling center allowed hackers to access not only the Social Security numbers and dates of birth of students and alumni who have sought its services in the past eight years but clinical information as well.
Students or former students who visited the counseling center between Aug. 8, 2002, and June 12, 2010, should assume that they are in the affected database, Vice President for Student Affairs and Dean of Students Robert Dana said at a news conference Tuesday.
Sensitive medical data related to approximately 4,585 UMaine students who used services at the counseling center for nearly eight years were exposed as a result of the attacks, Dana said. The breach was discovered June 16 when staff at the counseling center had trouble accessing records, he said.
The university’s Police Department is leading the investigation into the hacking of two UMaine computer servers on March 4 at the counseling center, Dana said. The counseling center, located at the Cutler Health Center, provides support and mental health services to the university’s student population.
“There is no indication that data were viewed, compromised or downloaded from either of these servers, but we are operating according to a worst-case scenario,” Dana said. “In any case like this, identity theft must be a top concern, and consequently we are taking strong measures to assist those whose information may have been exposed and to prevent further security intrusions.”
The university’s announcement followed an unrelated incident in which hackers disrupted a website that helps users search for information about bills being considered by the Maine Legislature.
Police on campus are consulting with the U.S. Attorney’s Office and computer crimes experts from the U.S. Secret Service. The Secret Service headed up the investigation that led to the recent arrest, prosecution and conviction of an international ring of computer identity thieves responsible for breaches of databases operated by Hannaford Bros. Supermarkets, T.J. Maxx and others, according to previously published stories.
“The high-level safeguards we have in place routinely thwart these attempts, but they were not adequate in this case,” Dana said Tuesday. “This is a serious breach, and we are profoundly sorry that this has happened.”
The university has engaged Debix, an Austin, Texas, firm that works with organizations that are victimized by attacks of this nature, the dean announced. For at least 12 months, Debix will monitor affected individuals who wish to access the company’s services to watch for indications of identity theft and any fraudulent activity related to their credit. In addition, the company will provide immediate alerts to individuals if there is suspicious activity related to their credit, along with identity theft insurance, Dana said.
Next month, the university will send a customized letter to each person in the hacked database. The letters will include details about how Debix’s services can be accessed. UMaine will bear the cost of the service for those affected by the breach.
The university also has offered to pay for counseling services if victims request it.
“This is an insidious affront to the rightful privacy expectations of our students,” Dana said at the news conference, held at the Buchanan Alumni House. “The criminals, who make it their business to exploit our society’s need and ability to store information, are beneath contempt, and we are engaging all possible resources to find the source of these attacks.”
After the press conference, UMaine spokesman Joe Carr said the estimated cost of dealing with the fallout from the breach was $75,000.
On the Web: http://www.umaine.edu/informationcenter