Drug Records, Confidential Data Vulnerable

Harvard ID numbers, PharmaCare loophole provide wide-ranging access to private data

Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student’s social security number—often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual’s current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts.

The most sensitive data accessible with only a Harvard ID and birthday, though, appears to be that from Harvard’s primary drug insurance provider, PharmaCare.

Bradner said the healthcare industry is under unusually strict requirements to protect sensitive information, in part due to HIPAA.

“Despite that, there are a lot of people in the healthcare industry who just don’t get it,” he said. “If indeed they’re using just [ID and birthday] to identify somebody, that’s an example of just not getting it.”

Skane, the UHS compliance officer, said that without more information from PharmaCare she was unsure whether Harvard or PharmaCare would be able to determine whether unauthorized individuals had used the site.





A PharmaCare spokeswoman last night said she was unaware that information about past pharmacy drug purchases was available through its website.

Jerome B. Tichner Jr., an attorney practicing healthcare law at Boston-based Brown and Rudnick, said that while he could not comment on PharmaCare’s specific case, current law requires insurance providers to “maintain reasonable safeguards to protect against improper access and disclosure of healthcare records.”

“If an entity [covered by HIPAA] does not have adequate security systems, and it’s very easy for any third party to walk in or log in and obtain pharmaceutical information or other…healthcare information, that may pose liability concerns,” he said.

Lewis, who is also a computer science professor and will teach a Core course next semester on computers and public policy, said he has advocated since 1996 for clearer Harvard policies on ID privacy.

“Ten years ago the most you could get with a Harvard ID number was a bag lunch,” he said. “But now data of all kinds are on web servers for reasons of convenience, and those Harvard ID numbers, if those are the keys, suddenly are much more powerful tools to get at sensitive information.”

“It’s too bad that everything hasn’t been shifted over to PIN authentication, which should today represent the minimum of security for confidential university records,” Lewis added.

—Staff writer J. Hale Russell can be reached at

—Staff writer Elisabeth S. Theodore can be reached at