Breach Cause: Lack of Web Site Log-In

University of Louisville cites 'programming error' Information on 708 kidney dialysis patients, including their Social Security numbers, was accessible on a University of Louisville web site for more than 19 months as a result of what the university portrays as a "programming error."

In a June 2 statement, the university, which operates a Health Sciences Center, said it became aware of the problem on May 17, when it disabled the Web site that stored the patient database and lacked a "log in" requirement due to a "programming error." The information had been available on the site since Oct. 1, 2008.

Although the site could be accessed by those outside the university, "access was not easy, and there were no direct links to the database," the statement said.

The university has notified the patients affected as required under the HITECH Act Breach Notification Rule. It offered patients a year's worth of free credit monitoring service.

"To prevent similar occurrences, we have reviewed the electronic information paths for this division to prevent impermissible access and ensure that only the minimum information necessary for the appropriate and intended use is available," according to the statement. The university is also taking steps to ensure all staff members have adequate privacy and security training.


About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.