Campus Security | News

Private Data on U Louisville Patients Online for 18 Months

According to coverage in the Louisville Courier-Journal, a University of Louisville database with personal information about 700 patients in its kidney dialysis program was publicly available on the Internet for a year and a half. Only when a person unaffiliated with the institution sent e-mail about the exposure did the university become aware of the breach.

The newspaper reported that the information was posted to the Web site of the program by a doctor who thought the data was behind a password wall. Once the university was notified, it shut the Web site down.

The disclosed information included names, Social Security numbers, and dialysis treatment details. The university is providing credit monitoring to those affected.

Shortly after the breach was disclosed, university Chief Information Security Officer Bruce Edwards said in an interview published to the campus Web site that departmental level actions were necessary to help prevent data breaches.

"There are a few basic steps that can greatly enhance the security of sensitive data managed within each department," said Edwards. "Each department's technical support personnel should be familiar with [the university's] information security policies and, with the support of their department, should be able to implement these steps. The steps are simple, but they could very well require a lot of focus in departments with complex environments."

Among the steps specifically related to publishing data to a network or Web site were these:

  • To identify and inventory sensitive information applications and sources on the Web;
  • To assess the need for this type of information to be published online;
  • To verify whether the information is properly restricted;
  • To remove sensitive data and applications that don't need to be posted online;
  • To regularly review sensitive information and applications to verify restricted access and proper functionality; and
  • To maintain audit logs for all activity related to sensitive information.

About the Author

Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at dian@dischaffhauser.com.

comments powered by Disqus