Tulane University crime data breach exposes health records, sexual assault victims' names | Crime/Police | nola.com
Tulane University crime data breach exposes health records, sexual assault victims' names
BY MISSY WILKINSON | STAFF WRITER DEC 3, 2021 - 4:32 PM
2 min to read
Facebook
Twitter
Email
NO.tulaneshooting_2.JPG
New Orleans and Tulane University police investigate a shooting near Tulane University at the intersection of Calhoun and Willow streets on Thursday, June 18, 2020.
Chris Granger
Facebook
Twitter
Email
Print
Missy Wilkinson
Missy Wilkinson
Author email
Health records and names of people who visited Tulane University Medical Center’s emergency department, including for attempted suicide. Graphic information about sexual assaults and the identities of the victims, witnesses and suspects.
All this and other sensitive information protected under federal privacy laws was visible to anyone with a Tulane email address until Friday morning, due to a Tulane University Police Department (TUPD) security breach, reported Lily Mae Lazarus of The Tulane Hullabaloo.
The unredacted police reports dated back to Oct. 5, 2020 and were intended to be circulated internally to a list of 48 Tulane University administrators. But the breach meant that anyone with a Tulane email address had access to more than 60 of the TUPD’s unredacted Daily Activity Reports for two years.
“If you have a Tulane email address, you use Microsoft Outlook, which provides you access to SharePoint, a space where people organize projects,” Lazarus said. “All you had to do was search for ‘police department’ and this group would pop up, and you’d see these documents. The files were neither encrypted nor password-protected. It was a public group, so files were downloadable and shareable regardless of whether you were on the list.”
Lazarus and another Hullabaloo editor, Rohan Goswami, discovered the unredacted police reports Thursday night and notified TUPD Capt. Maurice Trosclair, who was unaware of the problem. Tulane spokesman Michael Strecker confirmed that TUPD wrongly believed the information was secure. The university’s IT department had removed the documents Friday morning.
“Based on our forensic examination, no one else (besides the two students) is believed to have accessed this information,” Strecker said in an emailed statement. “Microsoft has confirmed this. This information is now secure and we have taken steps to ensure that only authorized internal recipients are able to access the Daily Activity Report. More broadly, we are reviewing our data security protocols to ensure this type of incident does not occur again."
Officials stressed that the Tulane Medical Center records that were accidentally made accessible were limited to cases where a Tulane student was transported to the hospital or Tulane police were summoned to assist with an unruly patient.
Top stories in New Orleans in your inbox
Twice daily we'll send you the day's biggest headlines. Sign up today.
Enter your e-mail address.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
All medical records are supposed to be protected under the HIPAA Privacy Rule, and campus crime victims’ confidentiality are protected under the federal Clery Act, which requires colleges to track and disclose crime data. By revealing this information, Tulane re-victimized student crime victims, Lazarus said.
Several Loyola, Tulane students report being drugged at Uptown bars; drinks may have been spiked
Several Loyola, Tulane students report being drugged at Uptown bars; drinks may have been spiked
On Nov. 17, more than 500 students gathered outside McAlister Auditorium protesting sexual violence in the Tulane community. A 2017 study showed 41% of undergraduate women and 18% of men reported being sexually assaulted after enrolling at Tulane.
Lazarus describes the security breach as a manifestation of a larger problem.
“TUPD has a duty to protect the Tulane community, and by not protecting their identities, they have not done that,” Lazarus said. “It all adds up to a culture of not addressing crimes against students and not protecting students.”
BY MISSY WILKINSON | STAFF WRITER DEC 3, 2021 - 4:32 PM
2 min to read
NO.tulaneshooting_2.JPG
New Orleans and Tulane University police investigate a shooting near Tulane University at the intersection of Calhoun and Willow streets on Thursday, June 18, 2020.
Chris Granger
Missy Wilkinson
Missy Wilkinson
Author email
Health records and names of people who visited Tulane University Medical Center’s emergency department, including for attempted suicide. Graphic information about sexual assaults and the identities of the victims, witnesses and suspects.
All this and other sensitive information protected under federal privacy laws was visible to anyone with a Tulane email address until Friday morning, due to a Tulane University Police Department (TUPD) security breach, reported Lily Mae Lazarus of The Tulane Hullabaloo.
The unredacted police reports dated back to Oct. 5, 2020 and were intended to be circulated internally to a list of 48 Tulane University administrators. But the breach meant that anyone with a Tulane email address had access to more than 60 of the TUPD’s unredacted Daily Activity Reports for two years.
“If you have a Tulane email address, you use Microsoft Outlook, which provides you access to SharePoint, a space where people organize projects,” Lazarus said. “All you had to do was search for ‘police department’ and this group would pop up, and you’d see these documents. The files were neither encrypted nor password-protected. It was a public group, so files were downloadable and shareable regardless of whether you were on the list.”
Lazarus and another Hullabaloo editor, Rohan Goswami, discovered the unredacted police reports Thursday night and notified TUPD Capt. Maurice Trosclair, who was unaware of the problem. Tulane spokesman Michael Strecker confirmed that TUPD wrongly believed the information was secure. The university’s IT department had removed the documents Friday morning.
“Based on our forensic examination, no one else (besides the two students) is believed to have accessed this information,” Strecker said in an emailed statement. “Microsoft has confirmed this. This information is now secure and we have taken steps to ensure that only authorized internal recipients are able to access the Daily Activity Report. More broadly, we are reviewing our data security protocols to ensure this type of incident does not occur again."
Officials stressed that the Tulane Medical Center records that were accidentally made accessible were limited to cases where a Tulane student was transported to the hospital or Tulane police were summoned to assist with an unruly patient.
Top stories in New Orleans in your inbox
Twice daily we'll send you the day's biggest headlines. Sign up today.
Enter your e-mail address.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
All medical records are supposed to be protected under the HIPAA Privacy Rule, and campus crime victims’ confidentiality are protected under the federal Clery Act, which requires colleges to track and disclose crime data. By revealing this information, Tulane re-victimized student crime victims, Lazarus said.
Several Loyola, Tulane students report being drugged at Uptown bars; drinks may have been spiked
Several Loyola, Tulane students report being drugged at Uptown bars; drinks may have been spiked
On Nov. 17, more than 500 students gathered outside McAlister Auditorium protesting sexual violence in the Tulane community. A 2017 study showed 41% of undergraduate women and 18% of men reported being sexually assaulted after enrolling at Tulane.
Lazarus describes the security breach as a manifestation of a larger problem.
“TUPD has a duty to protect the Tulane community, and by not protecting their identities, they have not done that,” Lazarus said. “It all adds up to a culture of not addressing crimes against students and not protecting students.”
