A hacker illegally accessed 17 computer servers at the University of Alabama which contained a database with sensitive personal information of university medical patients.

How many victims?
A database containing 37,000 records of lab data was on the servers.

What type of personal information? Names, addresses, birthdates and Social Security numbers of each person who has had lab work, such as a blood or urine test, done on the UA campus since 1994. The servers did not contain any student or medical records, according to John McGowan, vice provost of information technology at UA.

Details: The incident occurred in November 2008. The hacker is believed to have gained access to the servers by performing a random scan of the university’s network, and finding a vulnerable server to attack. Officials believe the attacker left after not finding anything of interest. The forensic investigation concluded that the hacker was not in the system long enough to retrieve any confidential information, McGowan said.

What was the response? Law enforcement agencies, including the UA Police Department, were notified and the rest of the university’s servers were scanned for intrusions. The incident is still under investigation and no arrests have been made. A letter was sent to individuals whose information was on the servers.

Source: www.tuscaloosanews.com/, Tuscaloosa News, “UA says probe continues of ’08 hacking,” Feb. 14, 2009.