Dear Loyola Community,
On approximately November 17, 2023, Athletic Trainer Systems (“ATS”) notified Loyola University Chicago (“Loyola”) and Select Physical Therapy (“SPT”) of a data security incident. Since 2013, Loyola has retained SPT (and its predecessor, NovaCare) to provided athletic trainers to work with Loyola’s student athletes. As part of such work, SPT’s trainers log onto and enter data on an ATS software platform (the “ATS system”) to record the services provided to Loyola student athletes. Student athletes are also able to log onto the ATS system.
In its November 17, 2023, notice and in a subsequent November 30, 2023, notice, ATS reported to Loyola and SPT that weak passwords used by certain users of the ATS system “were vulnerable to brute force hack attempts” and may have been guessed by a threat actor and used to access and acquire personal information of Loyola student athletes sometime between January 2020 and January 2021. The personal information that may have been accessed may have included a Loyola student athlete’s name, date of birth, medical history, injury status, demographic information, photograph, therapy and rehabilitation referrals, COVID-19 status (including vaccinations), and Social Security number.
In December 2023, ATS provided Loyola with a list of all Loyola student athletes whose profiles appeared in the ATS System prior to January 4, 2021, which is when ATS instituted a mandatory password reset, requiring users to select a new, more complex password in order to address and correct the password vulnerability concern. ATS has been unable to confirm which specific student athlete profiles may have been accessed or downloaded. Loyola has contacted student athletes who appear on the list and will be offering complimentary credit monitoring services to those affected.
To date, Loyola has no evidence that such personal information was actually used.
Although ATS has indicated that the data security incident appears to have occurred more than three years ago, if you still have an active student profile and access to the ATS System, Loyola advises you to promptly change your username and password, and any security question.
Loyola takes this incident very seriously and we are continuing to investigate this matter in order to institute additional safeguards to prevent any recurrence. Please be assured that Loyola is taking steps to increase information security awareness training as well as identifying additional technology measures that will strengthen our information security posture. Each day, Loyola monitors its systems for unlawful attacks and, on an ongoing basis, implements new technologies intended to defeat such attacks and protect the personal information of Loyola faculty, staff, and students.