Private Data on U Louisville Patients Online for 18 Months -- Campus Technology

Cybersecurity

Private Data on U Louisville Patients Online for 18 Months

By Dian Schaffhauser
06/11/10

According to coverage in the Louisville Courier-Journal, a University of Louisville database with personal information about 700 patients in its kidney dialysis program was publicly available on the Internet for a year and a half. Only when a person unaffiliated with the institution sent e-mail about the exposure did the university become aware of the breach.

The newspaper reported that the information was posted to the Web site of the program by a doctor who thought the data was behind a password wall. Once the university was notified, it shut the Web site down.

The disclosed information included names, Social Security numbers, and dialysis treatment details. The university is providing credit monitoring to those affected.

Shortly after the breach was disclosed, university Chief Information Security Officer Bruce Edwards said in an interview published to the campus Web site that departmental level actions were necessary to help prevent data breaches.

"There are a few basic steps that can greatly enhance the security of sensitive data managed within each department," said Edwards. "Each department's technical support personnel should be familiar with [the university's] information security policies and, with the support of their department, should be able to implement these steps. The steps are simple, but they could very well require a lot of focus in departments with complex environments."

Among the steps specifically related to publishing data to a network or Web site were these:

To identify and inventory sensitive information applications and sources on the Web;
To assess the need for this type of information to be published online;
To verify whether the information is properly restricted;
To remove sensitive data and applications that don't need to be posted online;
To regularly review sensitive information and applications to verify restricted access and proper functionality; and
To maintain audit logs for all activity related to sensitive information.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

E-Mail this page

Printable Format

Featured

Community-Driven IAM Learning with Internet2's InCommon Academy

Internet2's InCommon Academy Director Jean Chorazyczewski examines how the academy's community-driven identity and access management learning opportunities support CIOs, IT leaders, and their IAM teams in R&E.
Anthology Restructures, Focuses on Teaching and Learning Business

Anthology has announced a strategic restructuring, divesting its Enterprise Operations, Lifecycle Engagement, and Student Success businesses and filing for Chapter 11 bankruptcy in an effort to right-size its finances and focus on its core teaching and learning products.
TRACERS: The University of Iowa Leads NASA-Funded Space Weather Research with Twin Satellites

Working in tandem, the recently launched TRACERS satellites enable new measurement strategies that will produce significant data for the study of space weather. And as lead institution for the mission, the University of Iowa upholds its long-held value of bringing research collaborations together with academics.
Why Universities Are Ransomware's Easy Target: Lessons from the 23% Surge

Academic environments face heightened risk because their collaboration-driven environments are inherently open, making them more susceptible to attack, while the high-value research data they hold makes them an especially attractive target. The question is not if this data will be targeted, but whether universities can defend it swiftly enough against increasingly AI-powered threats.