Harvard To Review Site Access Standards

University drug insurer PharmaCare has disabled Harvard users’ access to its website, and dozens of sites around the University will be asked to change their security procedures following a Crimson report that drug purchase histories and other sensitive records were available to unauthorized users.

The Crimson reported on Friday that with a generic e-mail account, reporters were able to access, within 10 minutes, a list of every drug purchased by one Harvard student as well as the e-mail addresses and ID numbers of several students whose identities the University was required to keep secret under federal law.

The Crimson also reported that several Harvard websites—including those regulating network access, job applications and mail forwarding—were accessible with only a non-secure ID number and last name, birthday or Social Security Number. These are among nearly a dozen websites identified by The Crimson that remain vulnerable to unauthorized access.

The University disabled one website contributing to the problem, iCommons poll tool, on Thursday after the The Crimson demonstrated that it had allowed any internet user to look up the ID numbers of all Harvard students and employees. The tool had permitted poll authors to add anyone to a list of respondents to their poll, and then download a spreadsheet of those people’s e-mails, ID numbers and names.

These numbers are still widely available to administrators, professors, teaching fellows and even fellow students. ID numbers are used to track students internally and are sometimes shared with outside companies. Students often share them with fellow students for purposes ranging from reserving tickets through the Harvard Box Office to ordering food through Harvard University Dining Services.


University spokesperson Joe Wrinn said that following the Crimson report, Harvard will conduct an audit of all websites that permit access with the ID and another nonsecure piece of information—which Wrinn called “an inappropriately weak form of authentication”—rather than through a confidential password or PIN number.

“Securing access to restricted web sites or other applications with anything other than HUID and PIN is not appropriate,” Wrinn wrote in an e-mail. “Whether a site contains confidential data or not, the login process should entail a secret password that is under the control of the user.”

“Dozens of site administrators across the University are reviewing their current approach to ensure they are in compliance,” he added.

Though reviews have found that only The Crimson had used the method required for a non-affiliate to access the poll tool, Wrinn said yesterday that Harvard was still reviewing possible misuse by Harvard affiliates. He said Harvard would be following up with users—like students who administered polls for classes—who should not have had access to IDs.

Under the Family Educational Rights and Privacy Act (FERPA), students can request that the registrar put a security lock on their account, preventing the University from disclosing their directory information to the public. FERPA-secured students’ e-mail addresses were available in the iCommons Poll Tool.

University Health Services and PharmaCare have not yet determined whether anyone had accessed others’ confidential drug purchase histories, said Wrinn, but plan to follow up on every visit to the site by a Harvard affiliate. Preliminary analysis shows that not many Harvard affiliates had used the PharmaCare site, he said.

“The PharmaCare site will remain disabled for Harvard use until the hacking risk is addressed in a permanent way,” Wrinn said.

PharmaCare, a Rhode Island-based company owned by CVS, required nothing more than an ID and correct birthday to establish an account on its website and gain access to prescription histories.

After learning of the breach from The Crimson, University Health Services called PharmaCare’s senior management, and the site was disabled for Harvard users a few hours later.

PharmaCare officials issued a statement Friday saying that it “protects Personal Health Information (PHI) in a diligent manner that is consistently in compliance with all regulations.”