Private Data on U Louisville Patients Online for 18 Months

According to coverage in the Louisville Courier-Journal, a University of Louisville database with personal information about 700 patients in its kidney dialysis program was publicly available on the Internet for a year and a half. Only when a person unaffiliated with the institution sent e-mail about the exposure did the university become aware of the breach.

The newspaper reported that the information was posted to the Web site of the program by a doctor who thought the data was behind a password wall. Once the university was notified, it shut the Web site down.

The disclosed information included names, Social Security numbers, and dialysis treatment details. The university is providing credit monitoring to those affected.

Shortly after the breach was disclosed, university Chief Information Security Officer Bruce Edwards said in an interview published to the campus Web site that departmental level actions were necessary to help prevent data breaches.

"There are a few basic steps that can greatly enhance the security of sensitive data managed within each department," said Edwards. "Each department's technical support personnel should be familiar with [the university's] information security policies and, with the support of their department, should be able to implement these steps. The steps are simple, but they could very well require a lot of focus in departments with complex environments."

Among the steps specifically related to publishing data to a network or Web site were these:

  • To identify and inventory sensitive information applications and sources on the Web;
  • To assess the need for this type of information to be published online;
  • To verify whether the information is properly restricted;
  • To remove sensitive data and applications that don't need to be posted online;
  • To regularly review sensitive information and applications to verify restricted access and proper functionality; and
  • To maintain audit logs for all activity related to sensitive information.

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • illustration of a futuristic building labeled "AI & Innovation," featuring circuit board patterns and an AI brain motif, surrounded by geometric trees and a simplified sky

    Cal Poly Pomona Launches AI and Innovation Center

    In an effort to advance AI innovation, foster community engagement, and prepare students for careers in STEM fields and business, California State Polytechnic University, Pomona has teamed up with AI, cloud, and advisory services provider Avanade to launch a new Avanade AI & Innovation Center.

  •  black graduation cap with a glowing blue AI brain circuit symbol on top

    Report: AI Is a Must for Modern Learners

    A new report from VitalSource identifies a growing demand among learners for AI tools, declaring that "AI isn't just a nice-to-have; it's a must."

  • glowing shield hovers above a digital cloud platform with abstract data streams and cloud icons in the background

    Google to Acquire Cloud Security Firm Wiz

    Google has announced it will acquire cloud security startup Wiz. If completed, the acquisition — an all-cash deal valued at $32 billion — would mark the largest in Google's history.

  • digital dashboard featuring a shield icon, graphs, a world map, and network nodes

    IBM Introduces Agentic AI Governance and Security Platform

    IBM has launched a new software stack for enterprise IT teams tasked with managing the complex governance and security challenges posed by autonomous AI systems.