Harvard Yard Encampment Spreads towards Johnston Gate

News

Pro-Palestine Harvard Students Occupy Harvard Yard on First Day of Encampment

News

Pro-Palestine Encampment Represents First Major Test for Harvard President Alan Garber

News

Israeli PM Benjamin Netanyahu Condemns Antisemitism at U.S. Colleges Amid Encampment at Harvard

Nikole Hannah-Jones at Legacy of Slavery Event

News

‘A Joke’: Nikole Hannah-Jones Says Harvard Should Spend More on Legacy of Slavery Initiative

News

Massachusetts ACLU Demands Harvard Reinstate PSC in Letter

News

LIVE UPDATES: Pro-Palestine Protesters Begin Encampment in Harvard Yard

News

Cooke and Hirabayashi Failed To Meet Campaign Promises. To Students, It Reflects Broader Issues.

Drug Records, Confidential Data Vulnerable

Harvard ID numbers, PharmaCare loophole provide wide-ranging access to private data

By J. hale Russell and Elisabeth S. Theodore, Crimson Staff Writerss January 21, 2005

Setting up all campus mail to forward to a different physical address requires the ID and the last four digits of a student’s social security number—often obtainable by searching online directories like Lexis-Nexis and Accurint. Accessing mail forwarding would also show the individual’s current Harvard address, which for a secure-flag student could result in the disclosure of their on-campus whereabouts.

The most sensitive data accessible with only a Harvard ID and birthday, though, appears to be that from Harvard’s primary drug insurance provider, PharmaCare.

Bradner said the healthcare industry is under unusually strict requirements to protect sensitive information, in part due to HIPAA.

“Despite that, there are a lot of people in the healthcare industry who just don’t get it,” he said. “If indeed they’re using just [ID and birthday] to identify somebody, that’s an example of just not getting it.”

Skane, the UHS compliance officer, said that without more information from PharmaCare she was unsure whether Harvard or PharmaCare would be able to determine whether unauthorized individuals had used the site.

Multimedia

Image

FROM STEPHEN TO ZITHROMAX

A PharmaCare spokeswoman last night said she was unaware that information about past pharmacy drug purchases was available through its website.

Jerome B. Tichner Jr., an attorney practicing healthcare law at Boston-based Brown and Rudnick, said that while he could not comment on PharmaCare’s specific case, current law requires insurance providers to “maintain reasonable safeguards to protect against improper access and disclosure of healthcare records.”

“If an entity [covered by HIPAA] does not have adequate security systems, and it’s very easy for any third party to walk in or log in and obtain pharmaceutical information or other…healthcare information, that may pose liability concerns,” he said.

Lewis, who is also a computer science professor and will teach a Core course next semester on computers and public policy, said he has advocated since 1996 for clearer Harvard policies on ID privacy.

“Ten years ago the most you could get with a Harvard ID number was a bag lunch,” he said. “But now data of all kinds are on web servers for reasons of convenience, and those Harvard ID numbers, if those are the keys, suddenly are much more powerful tools to get at sensitive information.”

“It’s too bad that everything hasn’t been shifted over to PIN authentication, which should today represent the minimum of security for confidential university records,” Lewis added.

—Staff writer J. Hale Russell can be reached at jrussell@fas.harvard.edu.

—Staff writer Elisabeth S. Theodore can be reached at theodore@fas.harvard.edu.