MEDICAL PRIVACY: Patient Records Exposed on Web

      Patient records at the University of Michigan Medical Center "were left exposed to the public on the Internet in a breach discovered this week," the Ann Arbor News reports. A university student who unwittingly accessed thousands of patient records on Monday morning notified the university, which cut off access to the data that contained patients' names, addresses, phone numbers, Social Security numbers, employment status, treatments planned for specific medical conditions and other information. "The length of time the records were exposed to the public could have been a few hours, a few days or up to a year," according to the Ann Arbor News. Medical center spokesperson Dave Wilkins said staff "mistakenly" placed the records on a server they believed was password protected so that the Minneapolis-based software company HBOC could fix bugs in the software it installed. In addition, he noted that the exposed records contained information used for scheduling appointments, not "more detailed medical information." But Allen Leibowitz, president of Anzen Computing in Ann Arbor, noted that such data can be encrypted so the public cannot read it. Wilkins said the medical center is currently weighing whether to inform individual patients about the breach. "Patient confidentiality is something we take very seriously," Wilkins said, adding, "We're spending a lot of time making sure this stuff is locked down" (Wahlberg, 2/10).