TTS's Security and Privacy blog offers news, announcements, and insights on responsible data use and best practices related to security and privacy at Tufts.

Unpacking the MOVEit Breach
(Gary Weingarden, Privacy Officer & Director IT Security | Published October 2023)
If you haven't heard about it yet, a software product called MoveIT was compromised by a group called cl0p. Lots of businesses used MoveIT, and many of those businesses provided data related services to other businesses, so the exposure is spread out, and those impacted may be once- or more-removed from the buseinss that whose data was compromised. As a result, you may have already heard about other MoveIT-related breaches. If you're curious about the details, you can learn more here. Tufts has learned that NASCO, which provides technology to health insurers, like BCBSMA, was impacted. If you are a Tufts employee or dependent who is enrolled in our BCBSMA, you may receive a notice from NASCO. The notice will include instructions for how to sign up for 24 months of free credit monitoring and identity theft protection and the number for a toll-free call center. If you need more information, the best source is the call center phone number provided in the notice.
Learn more about statistics and analysis behind the MOVEit Breach.

Is this Personally Identifiable Information?
(Gary Weingarden, Privacy Officer & Director IT Security | Published September 2023)
Is this PII? I get this question a lot. Or the similar claim “I removed all the PII.” I regret to inform you, that’s not quite how it works. Don’t get me wrong, I know what you mean, but we’re really not talking about Personally Identifiable Information. In fact, the term “PII” doesn’t appear in many laws. PII is shorthand for what lawyers call covered data–any data that’s subject to a law or contract. PII casts a wider net than you’d expect and includes more than things like name, address, and SSN.