Identity theft

It's sounds like a suspense novel. On Friday I found a letter in my mailbox from Susan A Blair, MSJ, MBA,CIPP, CCEP, CIA, University of Florida's Chief Security Officer telling me that the Secret Service and the IRS have concluded that my personal data might have stolen by a state wide identity theft ring. Apparently it happened months ago, in October, but they only inform me now, because the law enforcement agencies didn't want to harm the investigation. They believe that some of the data may have been sold, and while they can't be sure what sensitive information might have been revealed, the person responsible- who was later identified as an employee of the UF clinic had access to my address, name, social security, date of birth among other things sufficient to apply for a credit card or two. Oddly, while they are certain the information is personal and not medical, and they have confirmed that this employee handled patient data improperly they didn't specify what exactly he was looking at and how. As an attorney I'm not too concerned about my address being public, because it already is. As an attorney licensed in two states I'm required to have them listed in both bars registries as I don't maintain an office. I'm lucky that the other data didn't ruin my credit history and financial reputation although with it being sold I have no guarantee that it will not happen nine months down the line. The most bizarre bit is that I've graduated from UF last three years ago and there's really no reason for anyone else other than alumni affairs to have access to any of my data. I've only given my current address to the law school so they can send me their invitations and newsletters.  This situation raised some obvious questions about the safety of my personal data that the letter did not answer, but also about UF's procedures relating to handling information like this.
1. Is it that all departments and all units can answer all information on past and current students or is it in anyway limited to their areas of expertise?
2. Is there any security filter limiting access to social security numbers or are they as easily accessed as the name and address? Are there different levels of access for different types of information or can a large group of people pull all my information at once?
3. Why isn't there a procedure that obscures the data stored about the alumni? Clearly, as we don't use any of the services students do, it doesn't need to be as readily available.
4. How large is the number of employees that have access to complete personal data and do they have to have any special training to get it? Are there different levels of access within departments?
5. Is UF currently evaluating its' procedures in regard to this matter?
6. How large is the group of students and alumni affected?
7. How can UF be sure that the data was only personal and not medical in nature? Are there different safeguards in place for information about health?

I believe that in the interest of students, the alumni, it's own reputation, UF should address this issues publicly.