[ISN] Harvard Drug Records, Confidential Data Vulnerable

InfoSec News isn at c4i.org
Mon Jan 24 04:39:15 EST 2005


Crimson Staff Writers
January 21, 2005

The confidential drug purchase histories of many Harvard students and
employees have been available for months to any internet user, as have
the e-mail addresses of high-profile undergraduates whose contact
information the University legally must conceal, a Crimson
investigation has found.

Administrators shut down a Harvard website contributing to the breach
minutes after The Crimson demonstrated the problem yesterday
afternoon. But at press time, sensitive data - including the drug
histories of those insured by the University - remained vulnerable to
anyone who obtains a student or professor's non-confidential Harvard
ID number.

The now-disabled Harvard website, iCommons Poll Tool, required nothing
more than a free, anonymous Hotmail account and five minutes to look
up the eight-digit ID of any student, faculty or staff member.

A list of all three prescription drugs purchased by one student at
University Health Services (UHS) Pharmacy was accessed by The Crimson
by typing his ID number and birthday into another website, run by
Harvard drug insurer PharmaCare. Birthdates of undergraduates are
published to fellow students, and are in many cases more widely
available on sites such as anybirthday.com.

Last night, the insurer's website still required nothing more than
these two pieces of information to provide a list of drugs purchased
by anyone covered by Harvard's drug insurance policy - which is
mandatory for all undergraduates and also covers many faculty and

UHS, after being alerted to the security issues on PharmaCare's
website by The Crimson yesterday, said it immediately called the
insurer for an explanation.

"We.re in contact with PharmaCare," UHS Compliance Officer Barbara
Skane said yesterday evening. "We've expressed to them how serious
this is and that we're asking their senior management to look into it
to see what we can do to correct any inappropriate access." She added
she did not yet know whether PharmaCare's website might violate HIPAA,
a federal law prohibiting the unauthorized disclosure of individual
medical records.

Moreover, from the now-disabled University website, it took under a
minute to produce the ID number and e-mail address of a student who
told The Crimson he had been granted security status at Harvard under
the Family Educational Rights and Privacy Act (FERPA) because his
family is prominent in international politics.

"If a student contacts their Registrar and requests total privacy
under FERPA, this FERPA status...must also [be] recorded in the
central directory system," wrote Jane E. Hill, Harvard's Directory
Services project manager, in an e-mail.

FERPA legally requires universities not to disclose or verify
directory information, including names and e-mail addresses, of
individuals with a secure flag, except as required for specific
educational purposes. This protection is used both by "publicity-shy"  
celebrities and for students who - are legitimately terrified of some
potentially harmful person.a woman trying to disappear from a stalker,
for example," wrote former Dean of the College Harry R. Lewis '68 in
an e-mail.

Additionally, though Faculty policy prohibits it, many professors
still e-mail their students all class grades listed by ID numbers.  
Thus any of the 311 students in Psychology 1 this year, among others,
could have also used the disabled website to determine what exam
grades their classmates received - a confidential academic record.

After the iCommons Poll Tool was shut down last night, University
Technology Security Officer Scott Bradner said that "there's no
condition under which [the ID number] should have been shared, It was
not a design feature."

The glitch - and the vulnerabilities that remain - underscore the
difficulties posed to information privacy by the widespread use of ID
numbers to verify identity, even though those numbers are often not
kept secret.

"The University has a custodial obligation to protect the personal
information of its students, its faculty and its employees," said Marc
Rotenberg '82, executive director of the Electronic Privacy
Information Center, after learning of The Crimson's findings. "People
need to understand how pervasive the University's information
gathering and collating capabilities are... The impact on the Harvard
community in terms of the privacy exposure is substantial".


These vulnerabilities stem from Harvard.s use of a non-confidential
number to verify identity and access secure systems. ID numbers, which
Bradner says are considered "non-public but not secret," are often
widely distributed - to course heads and staff, on printed ID cards
and even to students planning a barbecue.

Though most Harvard websites with secure information require a
confidential PIN or other password in addition to the ID, The Crimson
has identified a number of online applications.ranging from PharmaCare
to network access to mail forwarding - that require nothing more than
an ID number and birthday, or ID and last name.

Computer security experts say such use of a non-secure identifier as a
password is a serious and common problem.

"The ID number, much like the Social Security Number, has always had
this problem of operating both as a record identifier and as a
password," Rotenberg said. "It.s the interchangeable nature of the
identifier that creates a security risk".

Until yesterday afternoon, exploiting such vulnerabilities could have
been made easier by the long-standing glitch in the polling tool. The
website, which allows people to design and conduct surveys, enabled
anyone - with or without Harvard affiliation.to search the entire
Harvard directory by first or last name, e-mail address or Harvard ID
number. Unlike other campus directories, the system did not hide users
who have requested FERPA security from the University, or respect
other user-set restrictions on the distribution of their directory

A series of steps common in conducting a poll enabled any iCommons
user to directly look up the ID number of any Harvard affiliate - from
secure-flagged students to University President Lawrence H. Summers.  
No other public system permits students to search ID numbers or to
associate ID numbers with names.

Susan Rogers, project manager for iCommons, was surprised when The
Crimson demonstrated the technique for looking up a FERPA protected
student.s information, though she had previously planned to remove the
search by ID number feature.

She added yesterday evening that preliminary analysis of the usage
logs of the poll tool showed that prior to pulling the site, only The
Crimson had used the method that non-Harvard affiliates could use to
gain access.


But even if iCommons is fixed, The Crimson has identified a variety of
web tools that require no more than the non-secret ID, or a
combination of ID and last name or birthday, to access information
that would generally be considered confidential.

For instance, anyone on campus can delete or register a Harvard
network connection just knowing an individual's ID and last name. This
would permit someone to illegally share files traceable to another
person's identity.

A last name and ID are also the keys to choosing course sections and
accessing the Student Employment Office's jobs database. Only an ID is
required to access the Office of Career Services. MonsterTrak job
listings database.

With a Harvard ID and birthday - obtainable by undergraduates through
an online facebook, and more widely through websites like
anybirthday.com.a user can post or download resumés on someone else.s
eRecruiting account or access the online UHS health insurance waiver
form. Individuals can also activate an e-mail address for someone who
is eligible for a Faculty of Arts and Sciences account but has not
requested one.

Setting up all campus mail to forward to a different physical address
requires the ID and the last four digits of a student's social
security number.often obtainable by searching online directories like
Lexis-Nexis and Accurint. Accessing mail forwarding would also show
the individual's current Harvard address, which for a secure-flag
student could result in the disclosure of their on-campus whereabouts.

The most sensitive data accessible with only a Harvard ID and
birthday, though, appears to be that from Harvard.s primary drug
insurance provider, PharmaCare.

Bradner said the healthcare industry is under unusually strict
requirements to protect sensitive information, in part due to HIPAA.

"Despite that, there are a lot of people in the healthcare industry
who just don.t get it," he said. "If indeed they.re using just [ID and
birthday] to identify somebody, that.s an example of just not getting

Skane, the UHS compliance officer, said that without more information
from PharmaCare she was unsure whether Harvard or PharmaCare would be
able to determine whether unauthorized individuals had used the site.

A PharmaCare spokeswoman last night said she was unaware that
information about past pharmacy drug purchases was available through
its website.

Jerome B. Tichner Jr., an attorney practicing healthcare law at
Boston-based Brown and Rudnick, said that while he could not comment
on PharmaCare.s specific case, current law requires insurance
providers to "maintain reasonable safeguards to protect against
improper access and disclosure of healthcare records."

"If an entity [covered by HIPAA] does not have adequate security
systems, and it.s very easy for any third party to walk in or log in
and obtain pharmaceutical information or other - healthcare
information, that may pose liability concerns," he said.

Lewis, who is also a computer science professor and will teach a Core
course next semester on computers and public policy, said he has
advocated since 1996 for clearer Harvard policies on ID privacy.

"Ten years ago the most you could get with a Harvard ID number was a
bag lunch,. he said. .But now data of all kinds are on web servers for
reasons of convenience, and those Harvard ID numbers, if those are the
keys, suddenly are much more powerful tools to get at sensitive

"It.s too bad that everything hasn.t been shifted over to PIN
authentication, which should today represent the minimum of security
for confidential university records," Lewis added.

More information about the ISN mailing list