BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Data Breach at U-Louisville

From: security curmudgeon <jericho () attrition org>
Date: Fri, 4 Jun 2010 00:43:46 -0500 (CDT)


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.healthdatamanagement.com/news/breach-notification-university-lousiville-40419-1.html

Health Data Management
Breaking News
June 3, 2010

The University of Louisville in Kentucky on June 2 posted a public notice 
of a data breach in which protected health and financial information from 
its kidney disease program was posted on a publicly accessible Web site 
for 19 months.

According to local media reports, a physician who set up the site believed 
it was protected. Because of a programming error, the physician and an 
assistant entered data in October 2008 without knowing it was going on a 
public page. The site was not accessible without typing in the specific 
address, which would not be available through a search engine, a 
spokesperson told television station WLKY. What follows is the 
university's notice:

"The University of Louisville regrets to notify the public of an 
unfortunate incident where a database containing 708 names, Social 
Security numbers, type of dialysis received and access point for that 
dialysis was available on a website beginning October 1, 2008. This 
website could be accessed from outside the university. We became aware of 
this situation on May 17, 2010 and disabled the website. Access to the 
website was not easy and there were no direct links to the database.

"Our investigation found that a programming error did not include a 'log 
in' requirement for the website. We examined a similar computer program 
within the Kidney Disease Program and found that the code had been 
included.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php
Previous By Date Next
Previous By Thread Next

Current thread: