Skip to content Skip to navigation

Oregon Health & Science University Agrees to Pay $2.7M to Settle 2013 Data Breaches

July 14, 2016
by Rajiv Leventhal
| Reprints

Oregon Health & Science University (OHSU) has signed a resolution agreement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) following an investigation of two data breaches of electronic protected health information (PHI) that occurred in 2013.

In one of the incidents, information of more than 3,000 patients at OHSU was compromised after medical residents inappropriately stored the data on a cloud computing system. The other incident that year involved a stolen laptop containing the information of more than 4,000 patients. The resolution agreement just signed by the organization includes a one-time payment of $2.7 million and a rigorous three-year corrective action plan, according to an OHSU press release.

OHSU attests that no harm has been reported by any patients involved in either incident. Following an internal investigation in 2013, OHSU reported the breaches to OCR; offered free identity theft protection services to patients at risk for identity theft; established a 1-800-number to answer patient questions and concerns; implemented enhanced computer encryption across the university; and issued press releases outlining the incidents.

Over the next few months and beyond, OHSU integrity and information security experts will work with the consultant and the institution’s steering committee to identify patient information security risks or vulnerabilities, and make regular reports to OCR, and implement any necessary mitigation strategies, officials say.

“Patient privacy has been and always will be a top priority at OHSU. OHSU is continuously working to improve protection of patient information data in a constantly changing security and technology landscape,” said Bridget Barnes, OHSU CIO. “The two breaches that occurred in 2013 were stark reminders to OHSU how vigilant we must be. We made significant data security enhancements at the time of the incidents and now are investing at an unprecedented level in proactive measures to further safeguard patient information.”



OSU Wexner Medical Center Receives AHIMA Grace Award

The Ohio State University Wexner Medical Center (OSUWMC) received the American Health Information Management Association (AHIMA) annual Grace Award in recognition of its leadership in health information management.

Kansas Health Information Network Expands its Network across State Lines

The Kansas Health Information Network (KHIN) has announced that it is expanding its horizons, and is now connected to Health Information Exchange Texas (HIETexas).

CMS Selects Vendor to Modernize Critical Identity Infrastructure

The Centers for Medicare & Medicaid Services (CMS) last week announced it had selected San Francisco-based vendor Okta to enhance the security of its information systems.

Mayo Clinic, ASU Partner for Medical Education, Healthcare Innovation

The Mayo Clinic and Arizona State University have announced a partnership centered on transforming medical education and healthcare in the U.S. through a variety of innovation efforts.

CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.