A spreadsheet containing negative COVID-19 test results and personal information of several hundred University of Kentucky students and a few employees was left vulnerable to viewing by anyone with an active UK email address, the university learned over the weekend.
“While not an external security incident with respect to University systems, this was, without question, a regrettable error,” UK spokesperson Jay Blanton said in a statement. “We deeply apologize for it and will do everything possible to make it right on behalf of our students and employees.”
Student and employee’s names, dates of birth and negative COVID-19 test results were viewable via a public Microsoft Sharepoint file that the university’s contact tracing team was using to share information internally. The spreadsheet included those who had tested negative for COVID-19 in the last two weeks through the university’s initial round of mandatory testing.
The vulnerable data has since been moved to a more secure and private location. According to the statement, no social security numbers were available. Anyone with a valid UK credential — virtually any employee or student — was able to access the data.
The university is still working to determine how much the information was viewed by those who would not normally have access.
“We are able to determine who accessed the files in an unauthorized manner and plan to follow up with each individual,” Blanton said.
Early this week, UK will also be reaching out to the students and employees whose data was possibly viewed. The accessible information was not considered protected under the federal Health Insurance Portability and Accountability Act — known usually as HIPAA. According to the university, since the information is student data, it’s considered protected under the Family Educational Rights and Privacy Act — known commonly as FERPA. The vulnerability of the employee data is a violation of the university’s privacy standards.
“Again, we apologize for this error to members of our community who were impacted by this issue,” Blanton said. “We are working quickly to address it and will keep everyone informed about our next steps.”
The Lexington-Fayette County Health Department has reported 165 COVID-19 cases among UK students since classes started last week — bringing the total since March to 405. The University of Kentucky’s public dashboard, which has the number of cases through Tuesday and only includes the positive tests from UK’s student-testing initiative, has recorded 245 cases since Aug. 3 with an overall positivity rate of 1.1 percent. The initiative aims to test all on-campus students within seven days of arrival and concluded on Saturday.
Starting Sunday, the university will begin re-testing all of the approximately 5,500 students in fraternities or sororities after the university noted a 3 percent positivity rate among students in Greek life organizations, the university announced Friday. As of the announcement, 30 of the university’s 49 COVID-19 positive students in isolation resided in two fraternity houses.
The university’s next steps on the issue will be published on UK’s coronavirus website. Those with questions can email email@example.com.
Related stories from Lexington Herald Leader