Incident Involving Personal Information August 23, 2020
Dear Campus Community,
Over the weekend, we became aware of a regrettable error, outlined below. We provided the following information to the Lexington Herald-Leader this afternoon. We will reach out early this week to those students and employees who may have been impacted. We apologize for any anxiety this issue may cause.
"The university was notified this weekend that a spreadsheet that the University’s contact tracing team was utilizing – containing the names of several hundred students and a small number of employees – was not appropriately protected. It may have been viewed by people with university email addresses who were not on the tracing team. While not an external security incident with respect to University systems, this was, without question, a regrettable error. We deeply apologize for it and will do everything possible to make it right on behalf of our students and employees.
Here is what we know:
- The contact tracing team was a utilizing a file sharing platform to coordinate notification of members of the UK community, who had received a negative test result as part of Phase 1 testing of university students and employees over the past two weeks.
- As soon as we realized this issue, the files in question were moved to a private and secured location.
- However, some personal information – including a name, date of birth and negative test result – may have been viewed by people with university email addresses who should not have had access. None of the data involved social security numbers. We are analyzing now to what extent such information was viewed. Only those with active UK credentials would have been able to view the files. We are able to determine who accessed the files in an unauthorized manner and plan to follow up with each individual.
- None of the information is considered protected health information under the Health Insurance Portability and Accountability Act (HIPAA). For students, though, the information is protected by the Family Educational Rights and Privacy Act (FERPA). For our employees, this is a violation of our normal privacy standards.
- The university is working with the appropriate officials and technical teams to ensure the privacy and security of information is strongly safeguarded.
- The university also is reaching out early this week to those students and employees who may have been impacted.
- If someone has questions about this issue, they can contact email@example.com. This information also is being posted on the uky.edu/coronavirus site, where updates will be made.
Again, we apologize for this error to members of our community who were impacted by this issue. We are working quickly to address it and will keep everyone informed about our next steps." – Jay Blanton