Topeka ? In the second major breach of security at Kansas University this year, the names and Social Security numbers of 920 health care students at KU Medical Center were posted on the Internet for one week, it was revealed Friday during a legislative committee meeting.

James Bingham, chief information officer at the Med Center, said the incident resulted from “a series of egregious errors at the clerical levels” at KU and the state of Kansas.

Identity thieves often use Social Security numbers to obtain credit cards and open bank accounts. KU officials, however, said none of the 920 nursing and allied health students had reported any problems with identity theft since their information was posted on the Internet.

Earlier this year, a computer hacker cracked into the KU computer system and downloaded files on 1,450 foreign students at KU. That case is still under investigation by the FBI.

Bingham noted the private information about the health care students didn’t reach the Internet through a breach of the school’s computer system.

But state Rep. Joe McLeland, R-Wichita, chairman of the House-Senate Information Technology Committee, said: “This is a serious security issue.”

Information on bid

University officials said the names and Social Security numbers ended up on the Internet as information added to a solicitation for bids for a malpractice insurance policy.

KU was seeking bids for liability insurance to cover its nursing and health students.

¢ 6News video: KU reveals computer glitch¢KU Information Security

Bidders sought the names of the students, and when a clerk at KU Medical Center submitted the names to the Kansas Department of Administration’s purchasing division, the employee failed to omit the students’ Social Security numbers.

The numbers were not recognized at the purchasing division as Social Security numbers and placed on the Web site with information about the bid.

“We had a number of opportunities to catch this mistake, and we just didn’t do it,” said Ed Phillips, vice chancellor for administration at the Med Center.

The names and numbers were on the Web site between April 16 and April 22, officials said. Someone at the state discovered the problem and the information was removed.

Delayed reaction

University officials concede the consequences could have been drastic if the Social Security numbers were downloaded by thieves. Nonetheless, months passed before KU told the students that their information had been posted online.

The Department of Administration didn’t notify KU until about 10 days after the names were removed from the Web site. Caleb Asher, a spokesman for the Department of Administration, said the department wanted to make sure the problem was corrected before notifying KU.

And KU didn’t notify the students until sending out a letter June 27 — more than two months later — about the potential problem.

“I’m not going to quibble that we could’ve gotten it out sooner,” Phillips said.

He said the university spent some time investigating how the incident occurred.

In the letter, the university provided some tips on preventing identity theft and offered to help anyone who thought his Social Security number was being used by someone else.

“We have had no reports that anyone was harmed,” he said.

He said the Social Security numbers were on a Web site that is not generally viewed by the public. State officials reported that it had been accessed 26 times while the names and numbers were on it, he said.