Tulane University crime data breach exposes health records, sexual assault victims’ names – NOLA.com


Have you considered that someone could be secretly watching you or your child with your webcam right now? Is it worth taking such a risk? camDown can help stop them!

Health records and names of people who visited Tulane University Medical Center’s emergency department, including for attempted suicide. Graphic information about sexual assaults and the identities of the victims, witnesses and suspects.

All this and other sensitive information protected under federal privacy laws was visible to anyone with a Tulane email address until Friday morning, due to a Tulane University Police Department (TUPD) security breach, reported Lily Mae Lazarus of The Tulane Hullabaloo. 

The unredacted police reports dated back to Oct. 5, 2020 and were intended to be circulated internally to a list of 48 Tulane University administrators. But the breach meant that anyone with a Tulane email address had access to more than 60 of the TUPD’s unredacted Daily Activity Reports for two years.

“If you have a Tulane email address, you use Microsoft Outlook, which provides you access to SharePoint, a space where people organize projects,” Lazarus said. “All you had to do was search for ‘police department’ and this group would pop up, and you’d see these documents. The files were neither encrypted nor password-protected. It was a public group, so files were downloadable and shareable regardless of whether you were on the list.”

Lazarus and another Hullabaloo editor, Rohan Goswami, discovered the unredacted police reports Thursday night and notified TUPD Capt. Maurice Trosclair, who was unaware of the problem. Tulane spokesman Michael Strecker confirmed that TUPD wrongly believed the information was secure. The university’s IT department had removed the documents Friday morning.

“Based on our forensic examination, no one else (besides the two students) is believed to have accessed this information,” Strecker said in an emailed statement. “Microsoft has confirmed this. This information is now secure and we have taken steps to ensure that only authorized internal recipients are able to access the Daily Activity Report. More broadly, we are reviewing our data security protocols to ensure this type of incident does not occur again."

Officials stressed that the Tulane Medical Center records that were accidentally made accessible were limited to cases where a Tulane student was transported to the hospital or Tulane police were summoned to assist with an unruly patient.

Twice daily we'll send you the day's biggest headlines. Sign up today.

All medical records are supposed to be protected under the HIPAA Privacy Rule, and campus crime victims’ confidentiality are protected under the federal Clery Act, which requires colleges to track and disclose crime data. By revealing this information, Tulane re-victimized student crime victims, Lazarus said.

Police are investigating reports from several students at Loyola and Tulane who suspect their drinks were spiked while they were socializing a…

On Nov. 17, more than 500 students gathered outside McAlister Auditorium protesting sexual violence in the Tulane community. A 2017 study showed 41% of undergraduate women and 18% of men reported being sexually assaulted after enrolling at Tulane.

Lazarus describes the security breach as a manifestation of a larger problem.

“TUPD has a duty to protect the Tulane community, and by not protecting their identities, they have not done that,” Lazarus said. “It all adds up to a culture of not addressing crimes against students and not protecting students.”

Editor's note: This story was updated Dec. 5 to clarify the scope of the accidental release of medical records from Tulane University Medical Center.

Four in 10 undergraduate women at Tulane University say they have been victims of sexual assault — defined as any unwanted sexual contact — si…

Purchases made via links on our site may earn us an affiliate commission

After all of that camDown !