The New York-based university disclosed a prolonged system intrusion that led to widespread exposure of personal and medical information.
Monroe University disclosed that an unauthorized party accessed its IT systems between December 9 and December 23, 2024, resulting in the theft of sensitive personal and health information belonging to nearly 321,000 individuals. In a breach report filed with state regulators, the for-profit university said the incident involved unauthorized access to certain internal systems over a nearly two-week period.
“We have learned that an unauthorized party gained access to certain Monroe University computer systems between Dec. 9 and Dec. 23, 2024 and acquired copies of some files on our network during that time,” the school said in a breach notice posted on its website.
The university later confirmed that 320,973 individuals were affected by what it described as an external system breach. Reporting cited by Cybernews indicates the compromised data may include Social Security numbers, passport details, financial account information, medical records, and health insurance data. Monroe University said it completed its investigation in September 2025, reported the incident to state regulators once the scope was confirmed, and stated there is currently no evidence that the exposed information has been misused.
Investigators determined that attackers remained inside the university’s environment for roughly two weeks, during which time they accessed a wide range of stored records. The data set included both identity information and health-related details, increasing the potential impact on affected individuals. Unlike payment card data or passwords, medical information cannot be replaced once exposed, which raises longer-term risks. The delay between the intrusion and final disclosure reflects the difficulty of reviewing large academic systems that store admissions records, student files, employee data, and healthcare-related information in multiple repositories.
In its notification materials, Monroe University said it had no indication that the information involved in the incident had been used for identity theft or fraud. The university advised affected individuals to remain alert by monitoring financial accounts and credit reports and reviewing insurance statements for unfamiliar activity. Monroe also stated that it has taken steps to improve system security and reduce the risk of similar incidents, although specific technical measures were not publicly detailed.
Recent incident reports show that higher education institutions continue to face sustained pressure from both phishing and ransomware campaigns. In late 2024, multiple U.S. universities experienced voice phishing intrusions that led to unauthorized access to donor, alumni, staff, and student information through compromised internal systems. Some of those same institutions were later impacted by ransomware activity tied to exploitation of an Oracle E Business Suite zero day flaw, resulting in the theft of personal and financial data. Separate disclosures from other universities have also confirmed large scale exposure of personal, health, and financial records following prolonged unauthorized access, reinforcing the sector’s ongoing vulnerability to both social engineering and software exploitation.
They store extensive personal, financial, and academic data across multiple systems and often support open network access for students and staff.
Medical histories and insurance records cannot be changed, which increases the risk of long-term misuse, such as false claims or impersonation.
No. Data can be retained and used later, which is why monitoring accounts and records over time is recommended.
Universities must analyze large and complicated systems to determine exactly what data was accessible and which individuals were affected.
They should monitor credit reports, review insurance and financial statements, and remain cautious of unexpected communications referencing university records.