Boston University notifies medical research participants after server compromise
When a Boston University server was used to launch attacks against a system in Nova Scotia in May, the Nova Scotia network administrator contacted BU to alert them.
BU’s month-long investigation revealed that one of its servers had been compromised – possibly by a hacker in Russia – in March 2015. Of note, the compromise also enabled the attacker to access and download a file on that server that contained the names and Social Security numbers of 828 individuals who had participated in a research study. The principal investigator of the study, which ran from 2004 – 2011, was Edward Bernstein, MD of Boston Medical Center Emergency Medicine and Boston University School of Public Health Community Health Sciences.
In addition to names and Social Security numbers, the file on the compromised server also contained the participants’ date of birth, medical record number, and dates relating to the research.
As soon as BU discovered the server contained a file with personal information, they removed the file from the server.
BU informed affected research participants by letter on July 10, and offered them free credit monitoring services for one year, noting that BU had no evidence that the individuals’ information had actually been accessed or downloaded.
You can access BU’s notification to the Maryland Attorney General’s Office and the attached notification to those affected here (pdf).