Hundreds of students’ COVID-19 test data left unprotected at University of Kentucky

A spreadsheet containing negative COVID-19 test results of several hundred students and faculty at the University of Kentucky was left unprotected, viewable by anyone with a university email address, the university learned over the weekend.

The spreadsheet, which was being used by the University of Kentucky’s contact tracing team to notify individuals who received negative results for COVID-19 screening tests over the past two weeks, contained the names, dates of birth and negative test results of students and faculty. The university’s failure to properly secure this information was a “regrettable error,” Jay Blanton, a UK spokesperson, said in a statement.

“It is fair to say several hundreds, the vast majority of whom were students,” Blanton told EdScoop, adding that the exact number of people affected is still being determined.

The university’s contact tracing team members had been sharing the data with each other through a file-sharing platform, but the personal information contained in the spreadsheet had not been appropriately protected, Blanton said.

“It may have been viewed by people with university email addresses who were not on the tracing team,” he said.

None of the data included Social Security numbers, according to the university. UK has since moved the data into a “private and secured location,” Blanton said, and has begun reaching out to students and faculty who may have had their data exposed.

Similar recent incidents of universities failing to secure student data have also occurred at the Georgia Institute of Technology, where personal student information of more than 1,100 students was accidentally sent out in an email, and the University of Pittsburgh, where an administrator accidentally exposed a spreadsheet with financial data.