Win tickets to see the smash hit musical Mamma Mia at the Roanoke Civic Center. Two winners will each receive four tickets!
According to Aetna, the school's insurance provider, the third-party mail vendor failed to ensure the address labels were checked.
The Rotunda is the signature structure of the University of Virginia in Charlottesville.
Thursday, July 18, 2013
CHARLOTTESVILLE - A third-party mail vendor violated protocol in failing to review address labels listing Social Security numbers on brochures sent to 18,700 University of Virginia students, a health insurance provider said Thursday.
The direct mailing listing the students' nine-digit Social Security numbers on Aetna Health Care open enrollment brochures was sent July 3, UVa officials said. Eight days later - on July 11 - a student notified the university, the school said.
The university provided the students' information, including the Social Security numbers, to Aetna, school officials said.
"Aetna's standard protocol with the vendor is to review samples of the mail before a mailing goes out. That procedure was not followed by the vendor in this circumstance," said company spokeswoman Cynthia Michener. "However, this mail vendor does business for Aetna, and as such, we share the responsibility for this mailing."
School officials said they did not know whether any UVa personnel inspected the information before forwarding it to Aetna.
A program used to mine student information from a university Department of Student Health database was supposed to have been updated to exclude Social Security numbers, but was not, university spokesman McGregor McCance said.
"This was an oversight that has been corrected," McCance said.
Word of the breach broke late Wednesday afternoon in the Cavalier Daily, the school newspaper. James Turner, executive director of student health, emailed the student body about the error Thursday evening.
The letters probably were sorted mechanically, which means only one or two people handled each brochure before it ended up in mailboxes, said U.S. Postal Service spokeswoman Freda Sauter.
"They are pre-sorted, then it goes to a certain route, then directly to the carrier," Sauter said. "It's not like 20 people would have seen each piece."
Students on campus said Thursday afternoon they were unaware of the mistake until being approached by a reporter.
"I checked my emails this morning and did not see anything about it, but this isn't good," third-year student Ana Turenkov said as she left class Thursday afternoon. "If it had happened yesterday, I feel like they should have said something right away."
McCance said university officials worked as quickly as they could in the eight days after they heard about the breach to fix the errors that caused it and to notify students.
"There are lots of channels to go through and lots of things that have to be checked out, and that does take some time," he said. "The university has moved as quickly as it can."
The university plans to mail letters today to students further explaining the problem, McCance said. The letters will provide affected students a toll-free number of a free credit monitoring service, he said.
UVa phased out the use of Social Security numbers as a means of primary student identification between 2009 and 2012, McCance said, but the numbers still are kept in some campus databases. Students who apply for federal financial aid or use student health services still are required to provide their numbers.
The Aetna mailers were sent to all new and returning students, McCance said.
Students who do not need financial aid, have not used student health services or are international students, do not have Social Security numbers on university files, he said.
Third-year economics major Mark Zoepfl said he was worried about the effect the breach would have on him later in life.
"It scares me a little because it could affect my credit score later on," he said. "It's something that the university needs to work harder to protect, and I would have liked to find out earlier."
The theft of Social Security numbers costs American taxpayers more than $5 billion a year, said Federal Trade Commission attorney Steven Toporoff.
This is not the first time UVa has leaked sensitive information:
Weather JournalBreather before next wintry system