August 10, 2023
Dear Loyola Community,
As Loyola University Chicago recently reported, a vulnerability to the file transfer application MOVEit (MOVEit Software) has been impacting organizations and exposing personal data worldwide. Although Loyola does not use the MOVEit Software, some of the University’s third-party service providers do.
Recently, Loyola reported that two such University service providers–the National Student Clearinghouse (NSC) and The Teachers Insurance and Annuity Association (TIAA)–had notified Loyola that certain personally identifiable information that the University shares with NSC and TIAA may have been exposed due to the use of MOVEit’s Software in connection with these third parties providing services to Loyola. NSC and TIAA are continuing to investigate and respond to the MOVEit data breach. TIAA’s third-party vendor, Pension Benefit Information, LLC (PBI), which uses the MOVEit Software in providing services to TIAA, was the actual party directly affected by the data breach and has started to send data breach notices on behalf of TIAA to affected Loyola community members. Based on the University’s communications with NSC, it is anticipated that NSC will be sending breach notices to affected Loyola community members in the coming weeks. Based on the information provided by NSC to Loyola, no one at Loyola had financial or social security number information disclosed, and only two individuals had date of birth information disclosed. Although more than two Loyola community members were impacted, the disclosure of other individuals’ information did not include information protected by the Illinois Personal Information Protection Act (PIPA), so such individuals will not receive NSC notice letters.
This notice is to report that the MOVEit Software data breach has impacted a third organization with whom Loyola has a contractual relationship—United Healthcare Student Resources (UHCSR). Loyola has contracted with UHCSR to provide student health insurance to students who are not covered by their parent(s)’ policy or other insurance. Loyola has been informed that the personal data of University students was impacted as a result of the MOVEit Software data breach incident. Although UHCSR has not provided the University with specific students impacted or the specific information exposed, it has generally advised Loyola that the information exposed may have included a combination of names, dates of birth, addresses, phone numbers, email addresses, plan identification numbers, policy information, student identification numbers, claims information, provider services, dates of service, diagnosis codes, and prescription information and, for a subset of affected individuals, Social Security numbers or national identification numbers. UHCSR reports that the breach did not involve the disclosure of driver’s license numbers or financial account information.
UHSCSR has advised Loyola that it has provided notification of the data breach to all affected individuals and has offered such individuals two years of complimentary Norton LifeLock® Standard identity theft protection services.
Consistent with its prior advice, Information Technology Services (ITS) recommends that you closely monitor your financial accounts for suspicious activity. You can also check your credit report for free and, if necessary, consider placing a credit freeze on your credit report with each of the three credit reporting agencies.
The University takes the privacy and security of all members of our campus community seriously and Loyola will continue to actively monitor the situation.
ITS will continue to update this page with any updates as needed.