The faculty and staff at DePaul University are eligible to earn financial incentives by enrolling to the University’s wellness program, which is optional. The University sent a congratulatory email on December 14, 2018, to the wellness program participants for successfully completing the 2018 wellness program.
What was exposed?
In the group email sent to wellness program participants, the University inadvertently exposed personal information of 656 participants which included names, and email addresses.
A spokesperson for DePaul University Carol Hughes said in an email, “Rather than blind copying email participants, the December 14 communication displayed the names and email addresses of employees who successfully completed the university’s 2018 wellness program,” reported Crain's Chicago Business.
What was the immediate action taken?
The University has reported the incident to the U.S Department of Health and Human Services. The University has further requested the employees to delete the email as it had inadvertently exposed the personal information of employees in the email.
In a follow-up email to the 656 employees, DePaul University said, “This is information we simply did not intend to share, and as a result, we would kindly request that you delete the email. Going forward, we will be taking steps to prevent any recurrence, including automating future emails on this subject.”
The University also confirmed that the exposed information is harmless and therefore precautionary steps are not needed at this time.
“In the meantime, given the very limited content in the email, we have no reason to believe that the information shared creates any risk of identity theft or other harm and therefore do not believe you need to take any further steps at this time,” the email added.