Oregon Health & Science University (OHSU) is in the midst of contacting approximately 4,000 patients after a laptop containing some of their personal health information was stolen. The laptop was taken during a burglary at an OHSU surgeon's vacation rental home while in Hawaii in late February.
Officials say that the computer's desktop and documents folder did not contain sensitive data; almost all of the patient information was contained within daily surgery schedules that are e-mailed to surgeons scheduled to operate in OHSU's operating rooms. Those schedules attached to e-mails were for surgeries that took place in late 2012 through February 20, 2013. Information located in those daily schedules was limited to:
- Patient names
- OHSU patient medical record numbers
- Type of surgery for each patient
- Surgery dates, times and locations (limited to surgeries in late 2012 through Feb. 20, 2013)
- Patient gender
- Patient age
- Name of the surgeon and anesthesiologist
In addition, OHSU security investigators determined that a small number of the approximately 5,000 emails stored on the laptop contained Social Security numbers for a total of 17 patients, who are being offered free identity theft monitoring.
Officials said encryption was required only for laptops used for patient care. Because the laptop in question was purchased and used for research purposes, it was not encrypted. In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements.
"OHSU believes cash and physical items were the target of the burglars, not the data within the e-mail program on the computer. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved,” Ronald Marcum, M.D., OHSU's chief privacy officer and director of OHSU's Integrity Office, said in a statement. "However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”
OHSU sent letters to the affected patients late last week. Patients who were impacted should receive letters in the mail within a week.