Jerome B. Tichner Jr., an attorney practicing healthcare law at Boston-based Brown and Rudnick, told The Crimson on Thursday that while he could not comment on PharmaCare’s specific case, current law requires insurance providers to “maintain reasonable safeguards to protect against improper access and disclosure of healthcare records.”

Wrinn said the University’s Office of Risk Management and Audit Services will also audit all internal Harvard systems that “contain confidential data,” which he said includes employment, educational and medical records.

The University will not, however, permit Harvard students to request their ID number be changed.

“Changing it doesn’t provide much additional protection,” Wrinn said. “Properly designed systems do not divulge confidential information to anyone who just has an HUID.”

Currently, anyone who knows a student ID and last name can still delete or register a Harvard network connection under another identity, section someone else for courses, or access the Student Employment Office’s job database.

Websites accessible with a Harvard ID and birthday include the eRecruiting site, which would allow an unauthorized user to download or post a resume on someone else’s account or to submit and withdraw job applications. The Faculty of Arts and Sciences e-mail registration page also verifies identity through ID and birthday, while setting up campus mail to forward to a different physical address requires the ID and the last four digits of a student’s social security number.

—Staff writer J. Hale Russell can be reached at jrussell@fas.harvard.edu.

—Staff writer Elisabeth S. Theodore can be reached at theodore@fas.harvard.edu.