Harvard To Review Site Access Standards

University drug insurer PharmaCare has disabled Harvard users’ access to its website, and dozens of sites around the University will be asked to change their security procedures following a Crimson report that drug purchase histories and other sensitive records were available to unauthorized users.

The Crimson reported on Friday that with a generic e-mail account, reporters were able to access, within 10 minutes, a list of every drug purchased by one Harvard student as well as the e-mail addresses and ID numbers of several students whose identities the University was required to keep secret under federal law.

The Crimson also reported that several Harvard websites—including those regulating network access, job applications and mail forwarding—were accessible with only a non-secure ID number and last name, birthday or Social Security Number. These are among nearly a dozen websites identified by The Crimson that remain vulnerable to unauthorized access.

The University disabled one website contributing to the problem, iCommons poll tool, on Thursday after the The Crimson demonstrated that it had allowed any internet user to look up the ID numbers of all Harvard students and employees. The tool had permitted poll authors to add anyone to a list of respondents to their poll, and then download a spreadsheet of those people’s e-mails, ID numbers and names.

These numbers are still widely available to administrators, professors, teaching fellows and even fellow students. ID numbers are used to track students internally and are sometimes shared with outside companies. Students often share them with fellow students for purposes ranging from reserving tickets through the Harvard Box Office to ordering food through Harvard University Dining Services.


University spokesperson Joe Wrinn said that following the Crimson report, Harvard will conduct an audit of all websites that permit access with the ID and another nonsecure piece of information—which Wrinn called “an inappropriately weak form of authentication”—rather than through a confidential password or PIN number.

“Securing access to restricted web sites or other applications with anything other than HUID and PIN is not appropriate,” Wrinn wrote in an e-mail. “Whether a site contains confidential data or not, the login process should entail a secret password that is under the control of the user.”

“Dozens of site administrators across the University are reviewing their current approach to ensure they are in compliance,” he added.

Though reviews have found that only The Crimson had used the method required for a non-affiliate to access the poll tool, Wrinn said yesterday that Harvard was still reviewing possible misuse by Harvard affiliates. He said Harvard would be following up with users—like students who administered polls for classes—who should not have had access to IDs.

Under the Family Educational Rights and Privacy Act (FERPA), students can request that the registrar put a security lock on their account, preventing the University from disclosing their directory information to the public. FERPA-secured students’ e-mail addresses were available in the iCommons Poll Tool.

University Health Services and PharmaCare have not yet determined whether anyone had accessed others’ confidential drug purchase histories, said Wrinn, but plan to follow up on every visit to the site by a Harvard affiliate. Preliminary analysis shows that not many Harvard affiliates had used the PharmaCare site, he said.

“The PharmaCare site will remain disabled for Harvard use until the hacking risk is addressed in a permanent way,” Wrinn said.

PharmaCare, a Rhode Island-based company owned by CVS, required nothing more than an ID and correct birthday to establish an account on its website and gain access to prescription histories.

After learning of the breach from The Crimson, University Health Services called PharmaCare’s senior management, and the site was disabled for Harvard users a few hours later.

PharmaCare officials issued a statement Friday saying that it “protects Personal Health Information (PHI) in a diligent manner that is consistently in compliance with all regulations.”

Jerome B. Tichner Jr., an attorney practicing healthcare law at Boston-based Brown and Rudnick, told The Crimson on Thursday that while he could not comment on PharmaCare’s specific case, current law requires insurance providers to “maintain reasonable safeguards to protect against improper access and disclosure of healthcare records.”

Wrinn said the University’s Office of Risk Management and Audit Services will also audit all internal Harvard systems that “contain confidential data,” which he said includes employment, educational and medical records.

The University will not, however, permit Harvard students to request their ID number be changed.

“Changing it doesn’t provide much additional protection,” Wrinn said. “Properly designed systems do not divulge confidential information to anyone who just has an HUID.”

Currently, anyone who knows a student ID and last name can still delete or register a Harvard network connection under another identity, section someone else for courses, or access the Student Employment Office’s job database.

Websites accessible with a Harvard ID and birthday include the eRecruiting site, which would allow an unauthorized user to download or post a resume on someone else’s account or to submit and withdraw job applications. The Faculty of Arts and Sciences e-mail registration page also verifies identity through ID and birthday, while setting up campus mail to forward to a different physical address requires the ID and the last four digits of a student’s social security number.

—Staff writer J. Hale Russell can be reached at

—Staff writer Elisabeth S. Theodore can be reached at