The University of Pittsburgh Medical Center has removed from its Web site an online form used to collect patient information, including names, Social Security numbers and prescriptions, after realizing the form lacked basic security protections.

The prescription request form, which was available at www.upmc.com/onlineforms/, was removed following a Post-Gazette inquiry.

"The unsecured nature of this form and that of a couple of others were brought to the attention of our Web people several weeks ago through an e-mail," said Frank Raczkiewicz, a UPMC spokesman. "We have since secured the other forms but through an oversight this particular form was overlooked."

The other two forms allowed patients to request appointments and complete a pre-registration form, he said. Those forms had been on the Web site for more than a year.

The forms "were part of a very small limited pilot study of a subset of patients," Raczkiewicz said, adding that UPMC believes fewer than 100 people used them.

But a recorded phone message at one large medical practice in Oakland included a general statement that patients seeking a prescription refill could use the online form, suggesting it was available to more patients.

Privacy experts said they were amazed that UPMC, with its extensive expertise in both computers and federal privacy rules, failed to use security technology that can be found everywhere from eBay to home computers to prevent cyber thieves from obtaining confidential information.

The situation is one example of why some Americans are uneasy about the move to create electronic medical records, said Emily Stewart of the Health Privacy Project in Washington, D.C. She also said that a hospital soliciting health information on a site that's not secure constitutes a violation of the Health Information Portability and Accountability Act of 1996, though she noted the government does not actively enforce the privacy and security rules.

"This, to me, is absolutely astounding,'' said Charles Inlander of the People's Medical Society, a consumer group in Allentown. "This is either cheap on their part or, more likely, they didn't even consider the privacy issue."

But UPMC officials said they don't believe they violated the privacy law, and they played down the privacy risk.

"We believe the risk of identity theft is very low," Raczkiewicz said. "The form generated an e-mail that would have been accessed only from within the UPMC network."

When a computer user completes an online form and submits it, the information may be broken down into smaller pieces that traverse the Internet and are reassembled by the computer server on the receiving end, explained Larry Rogers, senior member of the technical staff at Carnegie Mellon University's CERT computer security program.

Eavesdroppers who gain access to the network and the path between the computers can use programs to reassemble the information just as the server computer system does. To guard against this, sites can encrypt this information so that when the eavesdropper reassembles the information, it cannot be read.

Consumers can check a site's security in two ways: they can see padlock insignia in the lower right corner of the Web page, and the "https'' prefix on the online form's Web address.

Rogers took a look at UPMC's online form on Tuesday before it was removed and noted the tell-tale signs of secure site were missing. Without an https site, he said, "I don't have any control over the path that it goes from my computer system to the Web server, and I don't know who can listen into it."

To explain the security risk, Rogers drew an analogy with the old "party-line" telephone systems, in which callers could never be sure that someone wasn't listening in.

He said it could be very difficult to determine after-the-fact whether information sent through UPMC's online form got into the wrong hands -- it would be like trying to determine how many people other than the intended recipient took information from a mailed post card.

Even the padlock insignia and https prefix aren't fool-proof indicators of security, Rogers said. Hackers can create the illusion of security on a computer user's Web browser.

The UPMC situation underscores a broader problem with how consumers use the Web, Rogers said.

"We know to look left and right before crossing a street," he said. "How do we teach people to look both ways on the Internet?"

Consumers need to be wary about sharing information online, experts said.

Noting the risk of identity theft, the Federal Trade Commission advises consumers to be careful about sharing information such as social security numbers over unsecure sites, said FTC spokeswoman Claudia Bourn Farrell.