University of Miami
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
The University of Miami experienced a data security breach involving Accellion, a third-party vendor providing hosted file transfer services. This incident, which came to light in early 2021, was part of a larger cyberattack affecting multiple organizations across various sectors, including federal, state, local, tribal, and territorial government organizations, as well as private industry organizations in the medical, legal, telecommunications, finance, higher education, retail, and energy sectors[1][7]. The breach was specifically linked to vulnerabilities in Accellion’s File Transfer Appliance (FTA), a tool used for secure file transfers[7].
Upon discovering the breach, the University of Miami took immediate steps to investigate and contain the incident. This included disabling the compromised Accellion server, engaging leading cybersecurity experts for assistance, and cooperating with law enforcement investigations[1][7]. The university also began the process of analyzing data files within the compromised server to identify individuals whose personal information might have been affected and started notifying affected individuals in accordance with applicable laws[1].
The breach was limited to the Accellion server used for secure file transfers and did not compromise other University of Miami systems or affect outside systems linked to the University of Miami’s network[1][7]. Despite the containment of the breach to the Accellion server, the University of Miami has continued to enhance its cybersecurity program to further safeguard its systems from future cyber threats[1].
In addition to the Accellion breach, the University of Miami also investigated a separate security incident in 2023 that affected a limited number of UHealth – University of Miami Health System patients. This incident involved an employee experiencing identity theft, including an intrusion into their work-associated UM email account, leading to the forwarding of emails containing patient names and medical record numbers to a third-party email account. However, there was no evidence that financial information or Social Security numbers were compromised[4].
The University of Miami has taken steps to address these incidents, including investigating, remediating compromised accounts, and enhancing measures to protect personal information and systems. They have also provided guidance to affected individuals on how to protect their personal information and monitor for any suspicious activity[4].
Citations:
- https://incident.miami.edu
- https://www.bizjournals.com/southflorida/news/2021/03/26/university-of-miami-investigates-data-breach.html
- https://security.it.miami.edu/sos-and-get-help/index.html
- https://umiamihealth.org/en/patient-,-a-,-visitors/notice-of-data-breach
- https://www.compliance.miami.edu/focus_areas/office-of-privacy–data-security/index.html
- https://www.it.miami.edu/about-umit/it-news/phishing/phishing-at-the-u/index.html
- https://www.local10.com/news/local/2021/03/26/university-of-miami-suffers-data-breach-in-connection-with-cloud-provider-accellion/
- https://www.databreaches.net/university-of-miami-health-breach-notice/
- https://youtube.com/watch?v=xO-Vmov5vVU
- https://www.nbcmiami.com/news/local/university-of-miami-investigating-data-security-incident-on-campus/2414923/
- https://www.govtech.com/security/hackers-target-university-of-miami-health-system-patients.html
- https://www.justice.gov/usao-mdfl/pr/university-miami-student-charged-hacking-multi-national-shipping-receiving-and-supply