Uploaded image for project: 'XNAT'
  1. XNAT
  2. XNAT-6511

New compressed uploader tracks and stores original file name, study instance UID, possibly patient ID

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Blocker
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 1.8
    • Component/s: None
    • Labels:
      None
    • Sprint:
    • Rank:
      0|0hzyeb:
    • Sprint:

      Description

      The new (as of 1.7.7) version of the compressed uploader stores various pieces of potential sensitive information in the database (and exposes them to the user). The things I've noticed are:

      1. Original file name. What if the file were named PATIENT_DOE_JOHN.zip, and the user was relying on XNAT for anonymization?
      2. Original Study Instance UID. Even if XNAT is configured to modify incoming UIDs, the original UID gets captured and stored here. (It also gets stored in the session, see XNAT-5453).
      3. Patient ID. In the screenshot, the patient ID was technically recorded. That might be because I hadn't done anything to make XNAT do routing on a different header, so this one might be a non-issue. That is to say, if the patient ID actually had PHI, the user wouldn't be using that tag for routing.

      Is this a concern to worry about? Should we resolve it? How?

        Attachments

          Activity

            People

            Assignee:
            moore.stephen.m@wustl.edu Steve Moore
            Reporter:
            moore.c@wustl.edu Charlie Moore
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: