August 2, 2013
UVa is changing how it handles students' personal information. The move comes as a task force is reviewing how more than 18,000 students' Social Security numbers were printed on envelopes by an outside vendor.
Among the changes: Student Health will no longer keep students' Social Security numbers in a database and Aetna will no longer send students information about the health plan available by mail.
The task force will continue to look for ways to protect students' private data, according to a Friday morning press release.
Below is the complete press release from the University of Virginia:
Information Security Task Force Completes First Phase of Review
CHARLOTTESVILLE, Va., Aug. 2, 2013 — A task force appointed by University of Virginia President Teresa A. Sullivan has completed the first phase of its review of University policies and procedures regarding the protection of personal information and related data.
Sullivan announced the formation of the task force July 22 after the University learned of the inadvertent use of student Social Security numbers on a brochure mailed by Aetna Student Health in July.
Phase one included taking immediate steps to analyze what occurred, mitigate the situation, and prevent a recurrence. As a result, social security numbers no longer are downloaded into the Student Health database, the particular query used to pull student information for mailing labels will no longer be used, and future communications regarding the Aetna student health plan will not be sent by mail. In addition, the task force alerted University schools and departments to request that they handle any planned student mailings by e-mail or to ensure that mailing labels do not display unnecessary personal information.
The second phase of the task force’s work will review further potential steps the University should take to enhance the security of personal information of students, faculty, staff, patients and vendors. The task force will review where personal information is collected and stored, confirm that personal information is requested only for legitimate business purposes, and determine whether the University should enhance its existing security controls and policies for personal information. Recommendations for improvements will be made where determined to be appropriate.
Executive Vice President and Chief Operating Officer Pat Hogan serves as chair of the task force and the Office of General Counsel advises it. Members of the task force include representatives from the offices of Internal Audit, Student Affairs, Compliance and Enterprise Risk Management, Human Resources, and Information Security. As the group begins the second phase of its work, it is adding members from the Medical Center, as well as student and faculty representatives.