Case Western Reserve Website Exposes Medical Information, Personal Information of 452 PeopleFOR IMMEDIATE RELEASE: October 4, 2007
Media Contact: Aaron Titus
CLEVELAND, Ohio. In September, 2007 8 files were discovered at filer.case.edu containing sensitive personal information of approximately 452 people. Three files identified participants in a medical study, as well as a detailed description of personal medical conditions, treatments, ages, and other demographic information. In that file, one column identifies several individuals who appear to be doctors or medical professionals who participated in the study: Rein Lambrecht, Thomas Chelimsky, Bill Stacey, and Amer Alshekhlee. Applicants were asked to describe details of their conditions like, "...bladder and sexual function inability to stand > 10 secs, several bowel obstructions... 2 years of diarrhea with no constipation...." Participants were also required to list medications they were taking. The list reveals one participant's treatments as, "glucophage, tricol, bactrim, prinivil, prilosec, crestor, lasix, zetia, aerobid, singulair, zyrtec, albuterol, oxygen, betopic eye, xalatan, wellbutrin, neurontin, iburpofen, mutli vitamin, vitamin E, B-complex, fero-grade." A column labeled "Consent/HIPAA form" shows that 56% of the entries read either "needs signature," or "NO."
Other files contained addresses, phone numbers, e-mail addresses, a few Social Security Numbers, dates of birth, and other information. Several of the files seemed to be notes from interviews with interview scores, and comments like "Score: 10.5 too generous?... possibly too harsly [sic] graded, but not at up to a 9... Intramurals, no honors/research/ no work experience, bad essay."
The website filer.case.edu appears to be an online filing system for students and faculty of Case Western Reserve University. While the system, called "Filer," does not claim to be secure, the system does require a login, which may lend a false sense of security to some faculty or students, and may have contributed to some individuals posting sensitive information. Yahoo.com has indexed roughly 44,100 files and websites at filer.case.edu. However, the files in question appeared to be purged from Yahoo's caches by October 4, 2007.
Individuals affected by this exposure should immediately visit www.nationalidwatch.org and search for their names, to confirm what types of personal information were exposed. NationalIDWatch.org has a list of recommended steps victims should take.
National ID Watch is a search engine for personal information breaches. Sponsored by the Washington, DC non-profit Liberty Coalition, NationalIDWatch.org provides more than a million free personalized Identity Exposure Reports™ as a public service.
Each Identity Exposure Report (IXR) documents what types of personal information were exposed (such as Social Security Numbers, Birth Dates, Addresses, etc.), without revealing them. Each IXR also details the situation surrounding each exposure, and contact information of those responsible for the breach. Armed with this information, victims can further investigate, take action, or correct harm.