UF officials notify patients of privacy breach

University of Florida officials have notified 2,047 people that their Social Security or Medicaid identification numbers were included on address labels affixed to letters inviting them to participate in a research study.

The letters were sent through the U.S. Postal Service on May 24, and the information also was shared with a telephone survey company. The problem was discovered June 6, and UF officials immediately launched an investigation. Use of Social Security numbers and certain other individual identifying numbers for non-essential purposes is against university policy.

The company, Burlington, Vt.-based Macro International Inc., plans to purge and destroy the information and sign legal documents indicating the task has been completed. The Gainesville-based printer that produced the mailing labels, Renaissance Printing, has already done so.

“We were dismayed to learn of this breach and deeply regret any concern this may cause these individuals,” said Susan Blair, the university’s chief privacy officer. “We have taken steps to address this problem and are continuing to evaluate our processes and procedures.”

The letters were generated as part of the third phase of a research study conducted through the UF College of Medicine’s Department of Epidemiology and Health Policy Research. They were sent to parents or guardians of adolescent girls listed in a statewide database to seek their participation in a telephone survey about human papillomavirus, or HPV, vaccination. The study included a control group of unvaccinated girls ages 9 to 17 and those ages 11 to 17 who had received the vaccine.

The numbers, which were included on the address label so the telephone survey company could identify participants by their number only, were supposed to have been generated randomly. Instead, 647 were Social Security numbers and the remainder were Medicaid numbers, in both cases preceded by an alphabetical character with the hyphens omitted.

UF officials have alerted the state Agency for Health Care Administration and the federal Office of Civil Rights. Information about the breach also has been posted on the university’s home page and to the privacy office’s website.

Study subjects also received information about extra steps they can take to safeguard their financial information, although officials believe the risk of anyone using the information for identity theft or other unlawful purposes is extremely low, Blair said. Anyone with questions after reviewing the information sent to them can call the Privacy Office Hotline at 1-866-876-HIPA.