PharmaCare grants access to prescription history using questionable authentication
Incident Date: January 2005
Incident Location: Boston MA USA
Reporters at The Crimson published a report on January 21, 2005 that Harvard University student medical records were at risk of disclosure. PharmaCare is the Rhode Island-based company responsible for insuring student and faculty drug prescriptions at the university. These individuals could access records of their past drug purchases using the PharmaCare Web site.
What The Crimson reporters found was a poorly designed Web site that required little verification before allowing a user to enroll and access prescription records. Account creation was possible using only the Harvard University ID (HUID) and birthday of an insured student. And while HUIDs weren’t necessarily considered public information, they weren’t considered much of a secret either.
The problem was compounded by a separate system maintained by Harvard. An server hosting the iCommons polling tool would allow any Internet user to look up the HUIDs of Harvard students and employees. University staff disabled the iCommons Web site after being notified of the information disclosure issue.
PharmaCare reported that only a limited number of Harvard affiliates had used the prescription site. However, they had not yet determined whether anyone other than the reporters had illegally accessed confidential drug purchase histories. Until the enrollment process is changed, PharmaCare has disabled Harvard access to the site.
Shortly after the problem was featured in The Crimson, PharmaCare released a statement saying that it “protects Personal Health Information (PHI) in a diligent manner that is consistently in compliance with all regulations.” Foremost in their minds is likely to be HIPAA, which calls for fines to be levied against organizations who fail to adequately protect PHI. However, at the time of this story there was no news of any regulatory or civil action as a result of this incident.
Title: Harvard To Review Site Access Standards
Author: J. Hale Russell, Elisabeth S. Theodore
Publication: The Crimson
Publication Location: Boston MA USA
Publication URL: http://www.thecrimson.com/today/article505411.html
Do you have additional information to contribute regarding this story? If so, please email firstname.lastname@example.org with the details and source.