[ISN] Data Breach at U-Louisville

From: InfoSec News <alerts_at_private>
Date: Fri, 4 Jun 2010 00:37:32 -0500 (CDT)

Health Data Management
Breaking News
June 3, 2010

The University of Louisville in Kentucky on June 2 posted a public 
notice of a data breach in which protected health and financial 
information from its kidney disease program was posted on a publicly 
accessible Web site for 19 months.

According to local media reports, a physician who set up the site 
believed it was protected. Because of a programming error, the physician 
and an assistant entered data in October 2008 without knowing it was 
going on a public page. The site was not accessible without typing in 
the specific address, which would not be available through a search 
engine, a spokesperson told television station WLKY. What follows is the 
university's notice:

"The University of Louisville regrets to notify the public of an 
unfortunate incident where a database containing 708 names, Social 
Security numbers, type of dialysis received and access point for that 
dialysis was available on a website beginning October 1, 2008. This 
website could be accessed from outside the university. We became aware 
of this situation on May 17, 2010 and disabled the website. Access to 
the website was not easy and there were no direct links to the database.

"Our investigation found that a programming error did not include a 'log 
in' requirement for the website. We examined a similar computer program 
within the Kidney Disease Program and found that the code had been 


Best Selling Security Books and More!
Shop InfoSec News
Received on Thu Jun 03 2010 - 22:37:32 PDT

This archive was generated by hypermail 2.2.0 : Thu Jun 03 2010 - 22:39:45 PDT