On May 16, 2008, it was discovered that someone outside the University of Iowa network compromised a database containing employee information for the Center for Disabilities and Development (CDD) at University of Iowa Hospitals and Clinics. Prior to discovery of the breach, sensitive information had been removed as part of a larger campus wide program to reduce the use of social security numbers. The employees involved have been informed of the compromise.
Below are answers to some of the questions affected individuals might have. If you have further questions, please contact Elayne Sexsmith at elayne-sexsmith@uiowa.edu.
Q: Whose information was in the database?
A: The University of Iowa is alerting current and past staff members of the Center for Disabilities and Development (CDD) at University of Iowa Hospitals and Clinics that a computer application containing Social Security numbers and date of birth information was improperly accessed from outside the UI network.
Back to top
Q. Was any patient information disclosed?
A. No patient information was disclosed.
Back to top
Q. If my information was in the database, does this mean that I'm a victim of identity theft?
A. No. Even if someone had retrieved your information, it doesn't mean you are a victim of identity theft or that the person intended to use the information to commit fraud.
Back to top
Q. I’d like to know with certainty that my personal information isn’t being used by someone else. What can I do?
A. The best way to protect yourself is to place a fraud alert on your credit files and review your credit reports, which you can obtain from one of three major credit bureaus.
The law requires the three major credit bureaus to provide you with a free credit report on a yearly basis. This is available through the Annual Credit Report website, https://www.annualcreditreport.com/. The Federal Trade Commission also has an ID Theft website at http://www.ftc.gov/idtheft.
If you notice accounts on your credit report that you did not open or applications for credit ("inquiries") that you did not make, these could be indications that someone else is using your personal information, without your permission.
Back to top
Q. What is a fraud alert?
A. A fraud alert is a message that credit issuers receive when someone applies for new credit in your name. The message tells creditors that there is possible fraud associated with the account and gives them a phone number to call (yours) before issuing new credit. When you call the credit bureau fraud line, you will be asked for identifying information and will be given the opportunity to enter a phone number for creditors to call.
Back to top
Q. What should I look for on my credit report?
A. Look for any accounts that you don't recognize, especially accounts opened recently. Look at the inquiries or requests section for names of creditors from whom you haven't requested credit.
Note that some kinds of inquiries, labeled something like "promotional inquiries," are for unsolicited offers of credit, mostly from companies with whom you do business. Don't be concerned about those inquiries as a sign of fraud. (You are automatically removed from lists to receive unsolicited pre-approved credit offers when you put a fraud alert on your account. You can also stop those offers by calling 888-5OPTOUT.)
Look in the personal information section for addresses where you've never lived. Any of these things might be indications of fraud. Also be on the alert for other possible signs of identity theft, such as calls from creditors or debt collectors about bills that you don't recognize, or unusual charges on your credit card bills.
If you find items you don't understand on your report, call the credit bureau at the number given on the report. Credit bureau staff will review your report with you. If the information can't be explained, then you will need to call the creditors involved and report the crime to your local police or sheriff's office. For more information on what to do, see the Iowa Department of Transportation’s page, “When bad things happen to your good name,” at http://www.dot.state.ia.us/mvd/omve/theft.htm
Back to top
Q. I called the credit bureau fraud line and they asked for my Social Security number. Is it okay to give it?
A. The credit bureaus ask for your Social Security number and for other information in order to identify you and avoid sending your credit report to the wrong person. No one from the University of Iowa will initiate contact with you directly about this incident. If someone contacts you claiming to be from the University of Iowa and asks for personal information regarding this incident, we recommend that you not share the information until you can verify the request. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.
Back to top
Q. Do I have to call all three credit bureaus?
A. No. If you call just one of the bureaus, they will notify the other two. A fraud alert will be placed on your file with all three and you will receive a confirming letter from all three.
Back to top
Q. Why can't I talk to someone at the credit bureaus?
A. You must first order your credit reports. When you receive your reports, each one will have a phone number you can call to speak with someone in the bureau's fraud unit. If you see anything on any of your reports that looks unusual or that you don't understand, call the number on the report.
Back to top
Q. How long does it take to receive my credit report?
A. It could take about 20 days from the day you call the credit bureaus. It takes about 5 to 10 days from the time you call the credit bureaus to get your fraud alert confirmation letter with instructions on ordering your credit report. You should receive your reports in another 5 to 10 days from the time you order them.
Back to top
Q. How long does a fraud alert last?
A. An initial fraud alert lasts 90 days. You can remove an alert by calling the credit bureaus at the phone number given on your credit report. If you want to reinstate the alert, you can do so. If you are the victim of identity theft, you can place an Extended Fraud Victim Alert on your report by submitting a copy of a valid identity theft report that you have filed with a federal, state or local law enforcement agency. An Extended Alert will remain on your report for seven years.
Back to top
Q. Will a fraud alert stop me from using my credit cards?
A. No. A fraud alert will not stop you from using your existing credit cards or other accounts. It may slow down your ability to get new credit. Its purpose is to help protect you against an identity thief trying to open credit accounts in your name. Credit issuers get a special message alerting them to the possibility of fraud. Creditors know that they should re-verify the identity of the person applying for credit.
Back to top
Q. Can I still apply for credit after I place a fraud alert on my credit report?
A. You should still be able to get credit. While a fraud alert may slow down the application process, you can prove your identity to a prospective creditor by providing identifying information.
Back to top
Q. Will the University of Iowa contact me to ask for private information because of this event?
A. In similar cases at other institutions, people have reportedly been contacted by individuals claiming to represent the University and who then proceed to ask for personal information, including social security numbers and/or credit card information. Please be aware that the University of Iowa will not contact you directly with information regarding steps you should take to prevent possible fraud or identity theft; nor will the University ask for your full Social Security Number, University ID number, or Credit Card or Bank Account Number if you contact us, by email or telephone, for information. We recommend that you do not release personal information in response to any contacts of this nature that you have not initiated.
Back to top
Q. Will the University reimburse me for any expenses?
A. While we regret your personal information was exposed during this incident, we have no evidence that it has or will be used to commit fraud or identity theft against you. The University will consider reimbursement for expenses if evidence linking this information breach with financial harm is discovered.
Back to top
Q. What steps is The University of Iowa taking to improve the security of personal information on campus computers?
A. We are currently performing analysis of our systems to eliminate any remaining use of social security numbers where possible. We are also evaluating our policies and procedures to ensure protection of personal information.
Back to top
|
