ºÚÁϳԹÏÍø is following industry best practices to support individuals who may have been affected by a 2020 security breach of data related to athletic cases monitored by university athletic trainers.
IUP was recently informed that there was unauthorized access in 2020 to data in IUP’s Athletic Trainer System, managed by Keffer Development Services. Data managed in this system includes name, birthdate, medical history, injury status, demographic information and photograph, therapy or rehabilitation referrals and COVID-19 status, including vaccinations(s), and Social Security numbers.
A total of 2,014 individuals were identified as possibly affected by the data breach. Of this number, 1,588 did not have their Social Security numbers exposed through this breach.
KDS is working with the FBI to investigate this possible breach, and IUP is following the notification requirements of the ºÚÁϳԹÏÍø Breach of Personal Information Notification Act as well as providing voluntary notification to the Department of Education Federal Student Aid Internet Gateway. Members of the ºÚÁϳԹÏÍø State System of Higher Education legal counsel have provided the required notification to the ºÚÁϳԹÏÍø Office of Attorney General.
In February, IUP mailed letters to 1,766 individuals for whom addresses could be found, alerting them to the possible data breach. Individuals who did not have a possible breach of their Social Security numbers (1,480) were offered 12-month single-bureau identity protection service, free of charge to them; the individuals with potential exposure of their Social Security numbers (286) were offered 24-month triple-bureau identity protection services, free of charge to them. The identity protection services are being provided by ZeroFox ID Experts.
As part of IUP’s compliance with the ºÚÁϳԹÏÍø Breach Notification Act, information about this possible data breach is being shared on the IUP website and to media in order to reach individuals for whom addresses have not been found.
“As soon as we were notified about this possible breach, we immediately took the appropriate steps to notify the individuals who may have been affected while ensuring appropriate electronic security measures are in place to eliminate future breaches,” Vice President for Student Affairs Tom Segar said. “The safety and security of our students, including online security, is a priority.”
Since January 2021, IUP’s Department of Athletics staff, working with IUP’s Information Technology Services, requires a multi-factor authentication through the IUP Duo application, including “forcing” strong passwords.
Individuals who believe they have been affected by this possible security breach should contact the Department of Athletics at athletics-dept@iup.edu.