Breach Cause: Lack of Web Site Log-In
University of Louisville cites 'programming error' Information on 708 kidney dialysis patients, including their Social Security numbers, was accessible on a University of Louisville web site for more than 19 months as a result of what the university portrays as a "programming error."In a June 2 statement, the university, which operates a Health Sciences Center, said it became aware of the problem on May 17, when it disabled the Web site that stored the patient database and lacked a "log in" requirement due to a "programming error." The information had been available on the site since Oct. 1, 2008.
Although the site could be accessed by those outside the university, "access was not easy, and there were no direct links to the database," the statement said.
The university has notified the patients affected as required under the HITECH Act Breach Notification Rule. It offered patients a year's worth of free credit monitoring service.
"To prevent similar occurrences, we have reviewed the electronic information paths for this division to prevent impermissible access and ensure that only the minimum information necessary for the appropriate and intended use is available," according to the statement. The university is also taking steps to ensure all staff members have adequate privacy and security training.