Student newspaper finds gaping security loopholes in a Harvard web site
Harvard's student newspaper, The Crimson, found massive security problems in Harvard's web site, including the ability to look up prescription records, medical records, and even find people protected by FERPA. The iCommons Poll Tool allowed users with nothing more than a Hotmail account to look up ID numbers that could be used to find all sorts of information that should be kept confidential according to federal law.
- Staff writers
News summary:
- The confidential drug purchase histories of many Harvard students and employees have been available for months to any internet user, as have the e-mail addresses of high-profile undergraduates whose contact information the University legally must conceal, a Crimson investigation has found.
- The now-disabled Harvard website, iCommons Poll Tool, required nothing more than a free, anonymous Hotmail account and five minutes to look up the eight-digit ID of any student, faculty or staff member.
- A list of all three prescription drugs purchased by one student at University Health Services (UHS) Pharmacy was accessed by The Crimson by typing his ID number and birthday into another website, run by Harvard drug insurer PharmaCare.
- UHS, after being alerted to the security issues on PharmaCare's website by The Crimson yesterday, said it immediately called the insurer for an explanation.
- She added she did not yet know whether PharmaCare's website might violate HIPAA, a federal law prohibiting the unauthorized disclosure of individual medical records.
- Moreover, from the now-disabled University website, it took under a minute to produce the ID number and e-mail address of a student who told The Crimson he had been granted security status at Harvard under the Family Educational Rights and Privacy Act (FERPA) because his family is prominent in internationalpolitics.
- The glitch-and the vulnerabilities that remain-underscore the difficulties posed to information privacy by the widespread use of ID numbers to verify identity, even though those numbers are often not kept secret.
- "The University has a custodial obligation to protect the personal information of its students, its faculty and its employees," said Marc Rotenberg '82, executive director of the Electronic Privacy Information Center, after learning of The Crimson's findings.
- Bradner said the healthcare industry is under unusually strict requirements to protect sensitive information, in part due to HIPAA.