Administrators shut down a Harvard website contributing to the breach minutes after The Crimson demonstrated the problem yesterday afternoon. But at press time, sensitive data—including the drug histories of those insured by the University—remained vulnerable to anyone who obtains a student or professor’s non-confidential Harvard ID number.
The now-disabled Harvard website, iCommons Poll Tool, required nothing more than a free, anonymous Hotmail account and five minutes to look up the eight-digit ID of any student, faculty or staff member.
A list of all three prescription drugs purchased by one student at University Health Services (UHS) Pharmacy was accessed by The Crimson by typing his ID number and birthday into another website, run by Harvard drug insurer PharmaCare. Birthdates of undergraduates are published to fellow students, and are in many cases more widely available on sites such as anybirthday.com.
Last night, the insurer’s website still required nothing more than these two pieces of information to provide a list of drugs purchased by anyone covered by Harvard’s drug insurance policy—which is mandatory for all undergraduates and also covers many faculty and staff.
UHS, after being alerted to the security issues on PharmaCare’s website by The Crimson yesterday, said it immediately called the insurer for an explanation.
“We’re in contact with PharmaCare,” UHS Compliance Officer Barbara Skane said yesterday evening. “We’ve expressed to them how serious this is and that we’re asking their senior management to look into it to see what we can do to correct any inappropriate access.” She added she did not yet know whether PharmaCare’s website might violate HIPAA, a federal law prohibiting the unauthorized disclosure of individual medical records.
Moreover, from the now-disabled University website, it took under a minute to produce the ID number and e-mail address of a student who told The Crimson he had been granted security status at Harvard under the Family Educational Rights and Privacy Act (FERPA) because his family is prominent in international politics.
“If a student contacts their Registrar and requests total privacy under FERPA, this FERPA status...must also [be] recorded in the central directory system,” wrote Jane E. Hill, Harvard’s Directory Services project manager, in an e-mail.
FERPA legally requires universities not to disclose or verify directory information, including names and e-mail addresses, of individuals with a secure flag, except as required for specific educational purposes. This protection is used both by “publicity-shy” celebrities and for students who “are legitimately terrified of some potentially harmful person—a woman trying to disappear from a stalker, for example,” wrote former Dean of the College Harry R. Lewis ’68 in an e-mail.
Additionally, though Faculty policy prohibits it, many professors still e-mail their students all class grades listed by ID numbers. Thus any of the 311 students in Psychology 1 this year, among others, could have also used the disabled website to determine what exam grades their classmates received—a confidential academic record.
After the iCommons Poll Tool was shut down last night, University Technology Security Officer Scott Bradner said that “there’s no condition under which [the ID number] should have been shared…It was not a design feature.”
The glitch—and the vulnerabilities that remain—underscore the difficulties posed to information privacy by the widespread use of ID numbers to verify identity, even though those numbers are often not kept secret.
“The University has a custodial obligation to protect the personal information of its students, its faculty and its employees,” said Marc Rotenberg ’82, executive director of the Electronic Privacy Information Center, after learning of The Crimson’s findings. “People need to understand how pervasive the University’s information gathering and collating capabilities are…The impact on the Harvard community in terms of the privacy exposure is substantial.”