Health Data Management
June 3, 2010
The University of Louisville in Kentucky on June 2 posted a public
notice of a data breach in which protected health and financial
information from its kidney disease program was posted on a publicly
accessible Web site for 19 months.
According to local media reports, a physician who set up the site
believed it was protected. Because of a programming error, the physician
and an assistant entered data in October 2008 without knowing it was
going on a public page. The site was not accessible without typing in
the specific address, which would not be available through a search
engine, a spokesperson told television station WLKY. What follows is the
"The University of Louisville regrets to notify the public of an
unfortunate incident where a database containing 708 names, Social
Security numbers, type of dialysis received and access point for that
dialysis was available on a website beginning October 1, 2008. This
website could be accessed from outside the university. We became aware
of this situation on May 17, 2010 and disabled the website. Access to
the website was not easy and there were no direct links to the database.
"Our investigation found that a programming error did not include a 'log
in' requirement for the website. We examined a similar computer program
within the Kidney Disease Program and found that the code had been
Best Selling Security Books and More!
Shop InfoSec News