Over the course of two years, more than 1,500 prescription requests were submitted to the University of Pittsburgh Medical Center by way of an online form that collected names and Social Security numbers but lacked basic security protections.

		Related coverage UPMC pulls online drug form (5/27/05)

John Houston, the chief privacy officer at UPMC, said yesterday that it was not clear how many separate patients used the form, although he believes it was fewer than the 1,527 requests that were processed through the online tool.

But Houston acknowledged that UPMC officials initially understated the number of patients who used the form. Last week, UPMC spokesman Frank Raczkiewicz wrote in an e-mail to the Post-Gazette that fewer than 100 -- and probably closer to 50 -- patients submitted requests.

UPMC removed the online form from its Web site last week following an inquiry from the newspaper. At the time, a phone message at a large medical practice in Oakland directed patients seeking prescription refills to the online form, which also asked patients for a phone number and medication name.

Houston reiterated UPMC's position that the security problem did not actually lead to a security breach. The threat is not that computer hackers could break into the UPMC system to get the information, but rather that the data wasn't encrypted -- and was therefore vulnerable -- as it traveled the Internet between patients' computers and the UPMC server.

"Yes, there is a theoretical security risk to this, but it's a risk," Houston said. "I don't believe it translated into a specific, actual breach of security."

Many of those who completed the form at www.upmc.com/onlineforms/ likely used it more than once to make their prescription requests -- either because they took multiple medicines or because they submitted multiple refill requests for the same drug.

"Obviously, the previous statistics were low," Houston said yesterday. "This number could easily be less than 400 or 500 patients. I can only speculate, though. I don't think it's 1,500 separate patients."

Larry Rogers, a computer security expert with the CERT program at Carnegie Mellon University, noted that it's very difficult to know after-the-fact whether insecure data was inappropriately accessed as it traversed the Internet. It's like trying to find out whether someone other than the recipient of a post card read the message as it went through the mail, Rogers said.

Privacy advocates said they didn't find Houston's comments reassuring.

"It has nothing to do with whether hackers have better ways. The issue is: Did they leave this open and vulnerable?" said Charles Inlander of the People's Medical Society, a consumer group in Allentown. "The answer is: Yes. The more telling thing is, they don't know how many people those prescription numbers represent, nor do they know that there wasn't a security breach."

Houston said computer hackers would be more likely to use technology that captured individuals' credit card numbers as well as their names and Social Security numbers. Two technologies often used by hackers -- one that records keystrokes on a computer, and another that creates fake Web pages to capture information -- were unrelated to the lack of encryption on UPMC's online form, Houston said.

Even so, the form has been taken down and won't be restored until it is made secure with encryption technology. Houston said the security problem noted last week has prompted a review to make sure all Web features at UPMC are secure.

UPMC is in the midst of a multimillion-dollar project to computerize medical records, and public trust in the security surrounding these records is crucial, Houston said. He added that numerous safeguards for information are in place once the records are received by UPMC.

When a computer user completes an online form and submits it, the information traverses the Internet and arrives at the computer server on the receiving end. Eavesdroppers who gain access to the path between the computers can use programs to reassemble the information just as the server computer system does -- essentially making a photocopy as the information passes by.

When the information is encrypted, the eavesdropper cannot read the information.

Houston said UPMC does not plan to notify patients who used the form about the security risk. He said the situation differed from that at LifeCare Hospital of Wilkinsburg, where about 440 employees received letters last month alerting them to a computer theft at the hospital's corporate office in Texas.

A thief posing as a member of the cleaning crew stole from Life-Care Management Services LLC six laptop computers that contained payroll information, and likely included employee names, home addresses, Social Security numbers and bank routing numbers. A spokesman for the company said LifeCare notified employees about the threat to credit records even though it was unclear whether the crime was motivated by identity theft.

Houston said the UPMC situation was different because LifeCare officials knew that a theft had occurred.

"If that type of thing were to happen at UPMC, I believe [we] would take the same type of steps," he said. "But I don't think that theft occurred here. This was a vulnerability, but I don't believe it translated into an actual theft."

"I think the likelihood was extremely small," Houston said.