Skip to content Skip to navigation

OHSU Contacts 4,000 Surgery Patients After Data Breach

March 26, 2013
by Rajiv Leventhal
| Reprints

Oregon Health & Science University (OHSU) is in the midst of contacting approximately 4,000 patients after a laptop containing some of their personal health information was stolen. The laptop was taken during a burglary at an OHSU surgeon's vacation rental home while in Hawaii in late February.

Officials say that the computer's desktop and documents folder did not contain sensitive data; almost all of the patient information was contained within daily surgery schedules that are e-mailed to surgeons scheduled to operate in OHSU's operating rooms. Those schedules attached to e-mails were for surgeries that took place in late 2012 through February 20, 2013. Information located in those daily schedules was limited to:

  • Patient names
  • OHSU patient medical record numbers
  • Type of surgery for each patient
  • Surgery dates, times and locations (limited to surgeries in late 2012 through Feb. 20, 2013)
  • Patient gender
  • Patient age
  • Name of the surgeon and anesthesiologist

In addition, OHSU security investigators determined that a small number of the approximately 5,000 emails stored on the laptop contained Social Security numbers for a total of 17 patients, who are being offered free identity theft monitoring.

Officials said encryption was required only for laptops used for patient care. Because the laptop in question was purchased and used for research purposes, it was not encrypted. In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements.

"OHSU believes cash and physical items were the target of the burglars, not the data within the e-mail program on the computer. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved,” Ronald Marcum, M.D., OHSU's chief privacy officer and director of OHSU's Integrity Office, said in a statement. "However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”

OHSU sent letters to the affected patients late last week. Patients who were impacted should receive letters in the mail within a week.



ONC National Coordinator Gets Live Look at Carequality Data Exchange

Officials from Carequality have stated that there are now more than 150,000 clinicians across 11,000 clinics and 500 hospitals live on its network. These participants are also able to share health data records with one another, regardless of technology vendor.

American Red Cross, Teladoc to Provide Telehealth Services to Disaster Victims

The American Red Cross announced a partnership with Teladoc to deliver remote medical care to communities in the United States that are significantly affected by disasters.

Report: The Business of Cybercrime in Healthcare is Growing

While stolen financial data still has a higher market value than stolen medical records, as financial data can be monetized faster, there are indications that there is ongoing development of a market for stolen medical data, according to an Intel Security McAfee Labs report.

Phishing Attack at Baystate Health Potentially Exposes Data of 13K Patients

A phishing scam at Baystate Health in Springfield, Mass. has potentially exposed the personal data of 13,000 patients, according to a privacy statement from the patient care organization and a report from MassLive.

New Use Cases Driving Growth in Health Data Exchange through Direct

In an update, DirectTrust reported significant growth in Direct exchange of health information and the number of trusted Direct addressed enabled to share personal health information (PHI) in the third quarter of 2016.

Insurers to CBO: Consider Private Insurers’ Data in Evaluations of Telemedicine

Eleven private insurers, including Aetna, Humana and Anthem, are urging the Congressional Budget Office (CBO) to consider the experience of commercial insurers when evaluating the impact of telemedicine coverage in Medicare.