The University of Miami has provided notification letters to affected individuals about a data security incident involving Accellion, a third-party provider of file transfer services, which affected some of their personal information.
Accellion informed the University of Miami about a security vulnerability in their file transfer service on January 22, 2021. In response, the University disabled the Accellion file transfer service, initiated an investigation, and retained leading cybersecurity experts to assist with the investigation. The investigation determined the incident was limited solely to the Accellion file transfer service. The University of Miami also promptly notified law enforcement and is cooperating with the investigation of the Accellion incident.
On March 17, 2021, the University of Miami determined that hackers acquired certain files in the Accellion file transfer service on January 20, 2021. After making this determination, the University began to analyze the files to determine which individuals and data had been affected. The University then began notifying affected individuals by postal mail under applicable laws.
Based on the investigation, the University identified some personal health information in the files that the hackers acquired through the Accellion file system. The affected information varied by individual but potentially included some combination of the following data elements: first and last name; date of birth; street address; medical record number; provider or department name; and insurance and medical information, including subscriber identification number, treatment cost information, and medical billing codes, such as Current Procedural Terminology (CPT) codes. For a small group of affected individuals, the personal information acquired through the Accellion file system included medical record information, including treatment, diagnosis, and medical history information.
As a precaution, the University has engaged Kroll to provide identity monitoring services for affected individuals at no cost for up to one year.
The University of Miami regularly reviews its physical and electronic safeguards to protect personal information and will continue to take appropriate steps to safeguard personal information and its systems. The University is committed to data protection and deeply regrets any inconvenience or concern this incident may have caused. If you have not received a notification letter but think you may have been impacted by this incident, you can call 1-800-573-9188, Monday – Friday, 9 a.m. to 4 p.m. to learn whether your information was involved.