Personal and medical data from students using Stanford’s Cardinal Care health insurance service — including medical conditions and treatment information — was compromised in a data breach in January.
Health Net, the insurance provider through which Stanford offers Cardinal Care, disclosed the breach to affected users in late March.
Over the past week, students received letters from Health Net informing them that their addresses, dates of birth, insurance IDs and health information was compromised in a cyberattack, just days after personal information from Stanford community members was posted online in a separate data breach announced by the School of Medicine.
Though Stanford students’ data was compromised in both incidents, the two breaches were separate attacks on Stanford and Health Net. The Health Net breach does not appear to be limited to users associated with Stanford: According to the U.S. Department of Health and Human Services, over 1,200,000 individuals have been affected by the Health Net breach.
Both breaches targeted an outdated file transfer service, Accellion File Transfer Appliance, whose vulnerabilities have been the source of numerous data thefts from companies and universities in the past two months.
According to Health Net’s announcement, Accellion informed Health Net of its data breach on Jan. 25. Health Net informed customers that their data was compromised in letters dated March 24, and offered one year of free identity protection service to affected individuals.
Stanford did not respond by press time to questions from The Daily asking if the University was aware of the Health Net data breach and when Stanford was made aware of its own data breach.
Health Net also did not respond to The Daily’s request for comment.
The extent of Stanford’s own data breach remains unclear. On Tuesday, HIPAA Journal reported that Stanford “confirmed” that the protected health information of Stanford Medicine patients was compromised in a cyberattack. Stanford Medicine’s incident page about the data breach does not discuss nor confirm this, and the health and human services department registry of recent protected health information breaches does not list Stanford Medicine.
Stanford did not respond to multiple inquiries from The Daily asking if Stanford has notified all community members affected by its data breach. As of press time, Stanford Medicine had not updated its incident page on the data breach since its initial announcement on April 2.
Students and staff may have to wait a little longer to know for sure if they’ve been affected. Riana Pfefferkorn, a researcher in the Stanford Internet Observatory, said the University’s legal obligations to notify affected individuals involved in a data breach could be complicated by many factors, including compliance with law enforcement in an investigation.
“Stanford [is] likely still investigating and determining the extent of the breach and the attendant legal obligations, and members of the Stanford community can expect to wait for a few more days before they receive a notice if they were affected by the breach,” Pfefferkorn wrote.
Stanford’s investigation is ongoing, according to the School of Medicine. That process could take between weeks and months.
“You can start with the data that was leaked, but of course it’s possible that more data was stolen,” said Jack Cable ’22, a security researcher who’s worked with the U.S Cybersecurity and Infrastructure Security Agency. “So that could take several months to do that full investigation. Of course, that doesn’t stop you from notifying people… once you’re more confident of what actual information was stolen.”
“Getting an initial sense of what was out there, I think that’s reasonable to say that you could get that within a few weeks,” Cable added.
Cybersecurity experts at Stanford recommend that individuals place a fraud alert on their credit with a credit bureau and consider freezing their credit if they’re concerned about their personal information being compromised.