University of Florida officials in Gainesville have notified 2,047 people that their Social Security or Medicaid identification numbers were included on address labels affixed to letters inviting them to participate in a research study.
The letters were sent through the US Postal Service on May 24, and the information also was shared with a telephone survey company. The problem was discovered June 6. Using Social Security numbers and other individual identifying numbers for non-essential purposes is against university policy, UF said in a media release.
The company, Burlington, VT-based Macro International Inc., said it will purge and destroy the information and sign legal documents indicating the task has been completed. The Gainesville-based printer that produced the mailing labels, Renaissance Printing, said it has already done so, UF said.
"We were dismayed to learn of this breach and deeply regret any concern this may cause these individuals," said Susan Blair, UF's chief privacy officer. "We have taken steps to address this problem and are continuing to evaluate our processes and procedures."
The letters were generated as part of a research study conducted through the UF College of Medicine's Department of Epidemiology and Health Policy Research. They were sent to parents or guardians of adolescent girls listed in a statewide database to seek their participation in a telephone survey about human papillomavirus, or HPV, vaccination. The study included a control group of unvaccinated girls ages 9 to 17 and those ages 11 to 17 who had received the vaccine.
The numbers — which were included on the address label so the telephone survey company could identify participants by their number only — were supposed to have been generated randomly. Instead, 647 were Social Security numbers and the remainder were Medicaid numbers, in both cases preceded by an alphabetical character with the hyphens omitted.
UF officials told the Florida Agency for Health Care Administration and the federal Office of Civil Rights. Information about the breach and has posted a notice on the university's home page and the privacy office's website.