CAMBRIDGE, Mass. (AP) – Harvard University officials shut off access to campus online polling software after student newspaper reporters found that it could be used to collect student ID numbers and gain access to prescription drug records.

Harvard closed down the software tool that faculty use to survey students after reporters from The Harvard Crimson demonstrated how it could be used to obtain any student or employee’s Harvard identification number.

Students, staff, and faculty use the eight-digit ID numbers, printed on identification cards, to conduct business on campus.

The Crimson also reported that by using student birth dates and ID numbers obtained from the polling site, its staff members were able to use a Web site run by an outside health care firm.

, Rhode Island-based PharmaCare, to gain access to lists of prescription drugs bought by Harvard students.

The company blocked Harvard’s access to that Web site at the university’s request.

The Crimson alerted the university to the security problem on Thursday, prompting the university to block the software, called iCommons Poll Tool, before publishing the story the next day. The problem was being fixed on Friday, said Dan Moriarty, Harvard’s chief information officer.

University computing records showed that the Crimson reporters were the only people to use the system in the way their story described, said Moriarty, who described the multistep process required to steal ID numbers as complicated and unlikely to be widely known.

Mostly used by professors, the polling software has more recently been made available to some campus groups, including the student newspaper, he said.

“It would take a reasonable amount of sophistication and knowledge of a specific tool,” he said of the means by which ID numbers were accessed. “There was a vulnerability, but the log shows, happily for us, that it was not exploited.”

On Friday, Harvard officials worked with PharmaCare administrators to review the firm’s Web site records and determine whether anyone but the Crimson staff members used the site improperly.

Moriarty said the company’s Web site did not meet the university’s security standards, which have been upgraded in recent years so that student ID numbers are not also their passwords for access to Harvard Web sites. However, the Crimson reported that despite university policy, many professors still e-mail their students all class grades listed by ID numbers.

PharmaCare officials issued a statement through a public relations firm, saying that “PharmaCare protects Personal Health Information (PHI) in a diligent manner that is consistently in compliance with all regulations.”

AP-ES-01-22-05 1617EST