A Web-server administration snafu at the University of Michigan Health System left thousands of patient medical records open to the world until late Monday morning.
A link to the confidential patient database surfaced Monday among the results of a search for a doctor conducted with the university's Web site search engine. The file, obtained by Wired News, is a log of activity in a patient scheduling system, a university spokesman confirmed.
"It is extremely frightening," said Scott Sanders, field director of the Health Privacy Project, a group dedicated to raising public awareness about health-data privacy. "People go to seek medical care with the expectation that our records will be protected. The idea that they are vulnerable ... There are some frightening possibilities.
"We have to make sure there is a framework in place to protect people's privacy."
It is not clear how long the confidential information was exposed. The 10 MB database contains names, addresses, Social Security numbers, employment status, and treatment records. The file details treatments under way for colon cancer, renal failure, pneumonia, and hundreds of other illnesses.
"There was apparently a case of human error in which this data was placed on a server which was believed to have been password protected, and that was not the case," said University of Michigan spokesman Dave Wilkins.
"Within minutes of our being notified [of the privacy problem], the information was secured and taken off that server," he said. "We understand the urgency and implications of this kind of breach and are taking steps to make sure that it doesn't happen again."
Sanders said that, unlike credit reports, or even video rentals, there is no federal law protecting the privacy of medical records. Congress is under a mandate to pass such a law before 21 August, however.
