An independent security researcher recently notified the University of Chicago Medical Center that a security vulnerability affected a database with information about a cross-section of individuals with connections to the University of Chicago, including some donors and some patients. The information was exposed when a vendor hosting the database accidentally misconfigured a server. Following notification from the security researcher, our team was able to quickly identify and secure the exposed database.
We are conducting a comprehensive forensic investigation and have determined that no unauthorized parties – beyond this security researcher – accessed the information in the database. The researcher confirmed that he never downloaded the full database and only accessed a limited number of records. The database included limited personal information, and there was no exposure of social security numbers, credit card or banking information. For some records in the database, the names and clinical areas of physicians who treated patients were also included, but the database contained no detailed information from the patients’ medical record.
The University of Chicago and the University of Chicago Medical Center take data privacy very seriously and work vigorously to protect the confidentiality and security of sensitive information. We will comply with all applicable regulatory requirements as we complete our investigation.