Sensitive patient information leaked on U of L website
|
Date Reported:
6/2/10
Organization:
University of Louisville ("U of L")
Contractor/Consultant/Branch:
Division of Nephrology
Location:
Louisville, Kentucky
Victims:
Dialysis patients
Number Affected:
708
Types of Data:
"names, social security numbers and other personal information"
Breach Description:
"A University of Louisville database with the names, social security numbers and other personal information of 708 dialysis patients was accessible via the Internet for more than a year, university officials announced Wednesday morning."
Reference URL:
Business First
The Courier Journal
WFPL News
Report Credit:
Brent Adams, Business First
Response:
From the online sources cited above:
A University of Louisville database with the names, social security numbers and other personal information of 708 dialysis patients was accessible via the Internet for more than a year, university officials announced Wednesday morning.
The information was accessible on the university’s Kidney Disease Program Web site beginning Oct. 1, 2008, and it wasn’t noticed that it was accessible by the public until Monday, May 17.
[Evan] I can understand mistakes, but I have trouble reconciling what appears to be a more general information security program failure. When information is compromised and remains available for over 1-1/2 years, it speaks to a more significant failure.
University officials have disabled the database, which was not accessible through a direct link from the Internet but was accessible on the site because it did not include a “log-in” prompt, said Mark Hebert, director of communications and marketing for the university.
The breach was attributed to a programming error.
[Evan] This breach is attributed to more than a simple "programming error". At a minimum, this breach is also attributed to procedural error(s), a lack of adequate detective controls, and a lack of adequate scanning/testing of deployed controls.
The affected patients, or their next-of-kin, have been notified, and the university has hired a credit-monitoring agency to watch the credit of the affected patients for one year, said Hebert, who was uncertain how much the university will spend on the credit monitoring.
[Evan] How does a credit monitoring agency protect a patient from medical information misuse? For financial identity theft, one year of credit monitoring helps, but one year is inadequate. Social Security numbers don't expire after a year.
University officials have checked similar databases to ensure the proper safeguards are in place.
[Evan] Like what? What does the university claim to be "proper safeguards"?
They also have reviewed internal privacy and training records to ensure that university employees have been properly trained in handling sensitive patient information.
Patients who have questions about the privacy breach can call or write to the U of L Kidney Disease Program at 615 S. Preston St., Louisville, KY, 40202-1718.
Commentary:
Organizations that decide to make certain sensitive information available through publicly accessible portals (websites), must carefully control what information is made available through strict procedural checks and balances. Furthermore, organizations need to regularly monitor and test their controls to ensure their effectiveness. I don't know much about the technical architecture employed by the school, but there are a whole slew of technical best practices that should be followed too. It's too easy to make information available via the Internet.
Past Breaches:
Unknown
Posts Atom 1.0
Comments