We understand how this notice of Accellion breach might be concerning for our partners who have entrusted the University of Colorado with their data. The university takes data security seriously.
The attack primarily affected our Boulder campus and was related to the use of the vendor Accellion for large file transfers. No internal university systems were affected.
The university conducted both an internal review of the data involved and contracted with a third party expert to review the data. These extensive reviews indicated that a minimal amount of research data was exposed and it did not include any protected health information subject to HIPAA regulations. Specifically, the only research data involved was limited to the CU Boulder campus. The review shows that no Anschutz Medical Campus (or their hospital affiliates), Denver or UCCS research data was impacted.
With respect to the impacted CU Boulder research data, the Principal Investigator on the project is aware and has notified the applicable partner and begun remedial efforts.
CU Boulder’s large file transfer service has been upgraded to a newer platform, Kiteworks. If you are a research partner and have any additional questions or concerns, please email privacy@cu.edu.