U of Louisville exposes patient data on website
The University of Louisville in Kentucky has notified the public that a database containing personal health information was available online from October 2008 until last month.
“The University of Louisville regrets to notify the public of an unfortunate incident where a database containing 708 names, Social Security numbers, type of dialysis received and access point for that dialysis was available on a website beginning Oct. 1, 2008,” read an official statement from the university.
The university became aware of the situation on May 17, and has disabled the website. Access to the website was “not easy” and there were no direct links to the database, according to the statement.
Affected patients or their next of kin have been contacted, the organization stated.
“Our investigation found that a programming error did not include a ‘log in’ requirement for the website. We examined a similar computer program within the Kidney Disease Program and found that the code had been included,” stated the university.
To prevent similar occurrences in the future, the university stated it has reviewed the electronic information paths for this division to prevent impermissible access and to ensure that only the minimum information necessary for the appropriate and intended use is available. The university also reviewed the privacy and security training records to ensure the division’s personnel have met the applicable requirements.
Patients and others who have further questions or concerns can call 502-852-0785.
“The University of Louisville regrets to notify the public of an unfortunate incident where a database containing 708 names, Social Security numbers, type of dialysis received and access point for that dialysis was available on a website beginning Oct. 1, 2008,” read an official statement from the university.
The university became aware of the situation on May 17, and has disabled the website. Access to the website was “not easy” and there were no direct links to the database, according to the statement.
Affected patients or their next of kin have been contacted, the organization stated.
“Our investigation found that a programming error did not include a ‘log in’ requirement for the website. We examined a similar computer program within the Kidney Disease Program and found that the code had been included,” stated the university.
To prevent similar occurrences in the future, the university stated it has reviewed the electronic information paths for this division to prevent impermissible access and to ensure that only the minimum information necessary for the appropriate and intended use is available. The university also reviewed the privacy and security training records to ensure the division’s personnel have met the applicable requirements.
Patients and others who have further questions or concerns can call 502-852-0785.