Baker University notifies students of a data breach impacting 50K

The higher education institution has notified the Maine Attorney General and impacted students. 

What happened

Baker University, located in Kansas, recently notified the Maine Attorney General and published a notice on the University’s website regarding a breach impacting 53,624 individuals. 

According to the notice, the incident was discovered in December of 2024, when the University discovered suspicious activity that resulted in a network outage. 

After the institution secured their network environment, they engaged in an investigation that ultimately found that files had been accessed between December 2nd, 2024, and December 19th, 2024. Currently, the University does not have reason to believe the data has been misused. 

Going deeper

Baker has also provided notice to individuals who were impacted. While data accessed varies by individual, Baker University's review determined the following information may have been impacted: names, dates of birth, driver’s license numbers, financial account information, health insurance information, medical information, passport information, Social Security numbers, student identification numbers, and tax identification numbers. 

Baker is providing complimentary credit monitoring services and notifying state and federal regulators. They are also encouraging individuals to remain vigilant against incidents of identity theft and fraud by reviewing account statements and monitoring creditor reports. 

The big picture 

Universities often hold a significant amount of data for students, especially because many students use university-provided health centers or insurance. That, alongside financial information and other personal identifiers, like names and Social Security numbers, can make it a treasure trove for hackers looking to sell the information on the black market. 

Educational institutions like Baker don’t always have to be HIPAA compliant, but they can still find themselves in legal trouble if they fail to adequately protect personal information. 

Universities are being increasingly targeted in data breaches. Just recently, the University of Phoenix reported a breach linked to a business associate. In December, Harvard University also reported a breach, and in November, Texas’ University of St. Thomas faced scrutiny over how they handled their own. These issues show that many universities aren’t doing enough to protect data, and hackers are becoming increasingly aware of these vulnerabilities. 

FAQs

Do universities have to comply with HIPAA?

According to Paubox, HIPAA applies to universities when they are acting as a covered entity–like having a health clinic or offering insurance plans. Otherwise, their actions must be compliant with the Family Educational Rights and Privacy Act, a law specific to educational institutions that still focuses on data protection and security. Some firms, like Srourian Law, are already investigating the incident. 

Why did it take so long for Baker University to notify students and the public?

It’s unclear why Baker University delayed notifying patients, but it’s common for these breaches to take months to investigate. Some organizations also keep information related to investigations under wraps, as releasing too much information too early could hamper efforts to catch the cyber criminals.