University of Miami

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

The University of Miami experienced a data security breach involving Accellion, a third-party vendor providing hosted file transfer services. This incident, which came to light in early 2021, was part of a larger cyberattack affecting multiple organizations across various sectors, including federal, state, local, tribal, and territorial government organizations, as well as private industry organizations in the medical, legal, telecommunications, finance, higher education, retail, and energy sectors[1][7]. The breach was specifically linked to vulnerabilities in Accellion’s File Transfer Appliance (FTA), a tool used for secure file transfers[7].

Upon discovering the breach, the University of Miami took immediate steps to investigate and contain the incident. This included disabling the compromised Accellion server, engaging leading cybersecurity experts for assistance, and cooperating with law enforcement investigations[1][7]. The university also began the process of analyzing data files within the compromised server to identify individuals whose personal information might have been affected and started notifying affected individuals in accordance with applicable laws[1].

The breach was limited to the Accellion server used for secure file transfers and did not compromise other University of Miami systems or affect outside systems linked to the University of Miami’s network[1][7]. Despite the containment of the breach to the Accellion server, the University of Miami has continued to enhance its cybersecurity program to further safeguard its systems from future cyber threats[1].

In addition to the Accellion breach, the University of Miami also investigated a separate security incident in 2023 that affected a limited number of UHealth – University of Miami Health System patients. This incident involved an employee experiencing identity theft, including an intrusion into their work-associated UM email account, leading to the forwarding of emails containing patient names and medical record numbers to a third-party email account. However, there was no evidence that financial information or Social Security numbers were compromised[4].

The University of Miami has taken steps to address these incidents, including investigating, remediating compromised accounts, and enhancing measures to protect personal information and systems. They have also provided guidance to affected individuals on how to protect their personal information and monitor for any suspicious activity[4].

Citations:

  1. https://incident.miami.edu
  2. https://www.bizjournals.com/southflorida/news/2021/03/26/university-of-miami-investigates-data-breach.html
  3. https://security.it.miami.edu/sos-and-get-help/index.html
  4. https://umiamihealth.org/en/patient-,-a-,-visitors/notice-of-data-breach
  5. https://www.compliance.miami.edu/focus_areas/office-of-privacy–data-security/index.html
  6. https://www.it.miami.edu/about-umit/it-news/phishing/phishing-at-the-u/index.html
  7. https://www.local10.com/news/local/2021/03/26/university-of-miami-suffers-data-breach-in-connection-with-cloud-provider-accellion/
  8. https://www.databreaches.net/university-of-miami-health-breach-notice/
  9. https://youtube.com/watch?v=xO-Vmov5vVU
  10. https://www.nbcmiami.com/news/local/university-of-miami-investigating-data-security-incident-on-campus/2414923/
  11. https://www.govtech.com/security/hackers-target-university-of-miami-health-system-patients.html
  12. https://www.justice.gov/usao-mdfl/pr/university-miami-student-charged-hacking-multi-national-shipping-receiving-and-supply
Breach Submission Date Dec 22, 2022
Converted Entity Name University of Miami
Converted Entity Type Healthcare Provider
State FL
Individuals Affected 973
Breach Type Unauthorized Access/Disclosure

Breach Information Location Email

Business Associate Present Yes