University of Louisville Patients' Data Exposed


A physician at the University of Louisville Hospital inadvertently put the names, social security numbers and some medical information of 708 patients receiving kidney dialysis treatment at risk for 19 months after he set up a database on an unsecured Web page.

University of Louisville spokesman Mark Hebert told the data breach was just another classic example of how a well-meaning medical professional can innocently expose patient data in the normal course of providing care.

"It was an internal Web page that couldn't be accessed from another public page or through surfing the Internet," Hebert said. "He thought he was the only one who could access the page. He was wrong."

University officials were alerted to the unsecured site through an e-mail from someone outside the university on May 17. The Web site was shuttered less than an hour later, Hebert said.

Meanwhile, the university in the past two weeks sent notification letters to all 708 patients affected by the breach. In some instances, the letters were returned from patients who had either moved or died in the interim. In those cases, university officials then sent out notification letters to the patients' next of kin.

"We do have a strict university policy when it comes to meeting HIPAA standards," Hebert said, referring to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which sets strict privacy and security rules applying to healthcare providers and their partners. "This was just a simple mistake. The doctor thought the site was password-protected when it wasn't."

This latest data breach is just the most recent in a series of missteps by universities, hospitals, health insurance providers and garden-variety medical billing companies.

Last month, more than 9,500 New Mexico Medicaid patients were informed that their personal information -- including social security numbers, names and addresses -- had been exposed when a third-party processor's car and laptop were stolen in Chicago.

In February, another 4,300 patients at the University of California, San Francisco, medical school had their information revealed when an employee's laptop went missing.

So far, it doesn't appear that any of the personal data exposed in the University of Louisville Hospital gaffe has been used improperly. The university is offering all affected patients free credit-monitoring services for a year, it said.

Larry Barrett is a senior editor at, the news service of, the network for technology professionals.