HIPAA SUBSTITUTE NOTICE
Notice Regarding Malware Infection and Potential Data Exposure at Barry University’s Foot and Ankle Institute
Barry University has detected the presence of a form of malware which infected a University laptop computer and the files contained within it, on or around May 14, 2013. The University immediately commenced an investigation of the incident and retained a third-party computer forensic company to investigate the extent of the infection, including identification, isolation and removal of the malware infection from Barry University’s network. The affected files have been restored to their original state and there is no longer any evidence of active malware on the device.
Certain personal and medical information of patients (and their guarantors) from Barry University’s Foot and Ankle Institute was contained on the infected laptop. Due to the complexity of the malware infection, the University cannot conclusively determine whether the malware was able to expose any of its patients’ or guarantors’ personal information or whether an unauthorized person acquired the information. Out of an abundance of caution, Barry University has notified individuals who may have been affected, although we did not have sufficient contact information for certain individuals. It is important to note that, to date, the University has not received any reports of identity fraud, theft, or other harmful activity resulting from this incident.
Since completing the forensic investigation, Barry University has devoted considerable time and effort to determine what exact information may have been on the affected device. The data on the device included one or more of the following on each individual: full name, date of birth, Social Security number, bank account number, credit/debit card number, driver’s license number, medical record number, health insurance information, diagnosis, and/or health information about specific patient treatment with Barry University. The laptop contained personal and medical information of patients (and their guarantors) of the Foot and Ankle Institute from approximately 2007 – May 2013.
Barry University takes this situation very seriously and we deeply regret that personal and medical information may have been exposed as a result of this malware infection. It has taken steps to secure against similar future attacks by engaging an information technology security specialist to provide mapping and risk assessment analysis and has implemented additional security measures. The University has offered a complimentary 12-month credit monitoring service to affected individuals along with advice on other precautionary measures they can take to protect their personal and medical information.
We were unable to locate certain potentially affected individuals, and are providing this notice on our website to notify those individuals of this incident. If you did not receive a notification letter in the mail from Barry University and you are concerned that your personal information may have been contained on the infected laptop, please call Barry University’s toll-free dedicated call center at 1-800-981-7571, Monday-Friday between 9 a.m. and 9 p.m. EST. Callers will need to use reference number: 47933. The call center will confirm whether or not your personal information was included in this incident. If you have been affected, you will receive instructions on how to enroll in the complimentary 12-month credit monitoring service.