Unsecure UT-Arlington server leaves 27,000 prescription records vulnerable

ARLINGTON -- About 27,000 prescription records for students, faculty and staff maintained by the University of Texas at Arlington's Student Health Center were exposed to potential theft after a computer server was left unsecured four times.

The vulnerability was discovered after an outside source tried to access the server, UT-Arlington spokeswoman Kristin Sullivan said.

"There's no indication that any data was downloaded. We've had no reports of the data being used inappropriately," she said.

Sullivan described the incidents as "tantamount to someone opening an unsecured door and looking inside."

Reports about the incidents were filed with several authorities, including the U.S. Department of Health and Human Services, the Texas Department of Information Resources, the University of Texas System and the UT-Arlington Police Department.

The university is describing the incidents as "compromises" in security, not computer hacking or a breach, Sullivan said.

The issue surfaced during a security process when the university discovered irregularities in a log that documents attempts to access the server. The data problem was discovered June 21.

"An outside source was attempting to access the server," Sullivan said. "It was limited to this server. The server was taken offline immediately."

Sullivan said the server's lack of security was a combination of software maintenance issue and human error.

The server was left vulnerable to possible computer attack last year on Feb. 19 and April 28 and this year on Jan. 23 and Feb. 10.

The exposed records were for people who received or filled prescriptions through the health center between 2000 and June 21, 2010, according to the university.

Information included names, addresses, prescription names, amounts spent and diagnostic codes; 2,048 of the 27,000 records included Social Security numbers. None of the records included credit card information or any other medical records, according to a UT-Arlington news release. Academic records were not exposed.

No other university servers were affected.

UT-Arlington has mailed letters to 21,554 people for whom the university had contact information. The university is trying to find the rest of those affected.

President James Spaniolo issued a letter to the university community about the problem and how it is being handled. The university has also contracted with Equifax to provide free credit monitoring for one year for those whose records included Social Security numbers.

Anyone who received a prescription or filled a prescription at the Student Health Center but didn't receive a notification letter can call 800-913-3055. The website,, contains information about the incident.

Diane Smith, 817-390-7675