Privacy Breach at OHSU Affects More than 3,000 Patients | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Privacy Breach at OHSU Affects More than 3,000 Patients

July 30, 2013
by Rajiv Leventhal
| Reprints

Information for 3,044 patients at the Portland-based Oregon Health & Science University (OHSU) has been compromised after medical residents inappropriately stored the data on a cloud computing system, according to the institution’s announcement.

In May, an OHSU School of Medicine faculty member discovered residents, or physicians-in-training, in the Division of Plastic and Reconstructive Surgery were using internet-based services to maintain a spreadsheet of patients. Their intent was to provide each other up-to-date information about who was admitted to the hospital under the care of their division.

Although the internet-based service provider (Google Drive, Google Mail) is password-protected and has security measures and policies in place to protect information, it is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information.

There is no evidence that the data was accessed or used by anyone who did not have a legitimate patient care need to view the information. OHSU has been unable to confirm with the internet service provider that OHSU health information has not been, and will not be, used for these purposes. Consequently, OHSU is notifying all affected patients, officials said.

Upon learning of the incident, an OHSU investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services. After weeks spent reconstructing the data, the privacy and security experts discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected.

The data stored with the internet service provider included the patient’s name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address. For 617 patients, neither the reason for hospital stay, or diagnosis, nor the patient’s prognosis, or projected outcome, was among the stored data. Social Security numbers, insurance information, credit card information, bank information, phone numbers, or dates of birth were not among the stored information, according to the university.

 “We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients. We sincerely apologize for any inconvenience or worry this may cause our patients or their families,” John Rasmussen, OHSU’s chief information security officer, said in a statement.

About a year ago at OHSU, a USB drive containing data for more than 14,000 patients, 200 employees, and specific patient information for 702 pediatric patients was stolen from the house of a university employee.

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Trump will Nominate Acting VA Secretary Wilkie for Permanent Position

Just a day after the Department of Veterans Affairs (VA) and Cerner inked their $10 billion EHR (electronic health record) deal, President Trump said he would be nominating Acting VA Secretary Robert Wilkie for the permanent position.

ONC Names API Server Showdown Stage 2 Winner

The Office of the National Coordinator for Health Information Technology (ONC) has named 1UpHealth as the Stage 2 winner of the “Secure API Server Showdown” challenge.

EHNAC Developing Trusted Exchange Accreditation Program

To align with the Trusted Exchange Framework and Common Agreement, the Electronic Healthcare Network Accreditation Commission, a nonprofit standards development organization and accrediting body, is working with other organizations to establish a new Trusted Exchange Accreditation Program.

Lawmakers Demand New VA CIO, Citing “Malign Neglect” on EHR Project

A group of Democratic federal lawmakers, five senators and six members of Congress, are calling out the U.S. Department of Veterans Affairs (VA) for what they call “malign neglect” in the agency’s efforts to achieve electronic health record (EHR) modernization.

Medical Record Access Proves Costly for Some Patients, GAO Report Finds

Federal law requires healthcare providers to give patients access to their medical records, but according to a new GAO report, some patients believe they’re being charged too much to access their records.

Parkland’s Innovation Bridge Takes ‘Genius Bar’ Approach to Digital Health Apps

Taking inspiration from the Apple Genius Bar and Ochsner Health System’s O Bar, the Dallas-based Parkland Center for Clinical Innovation in collaboration with Parkland Health & Hospital System has opened an “Innovation Bridge” to assist patients with health-related apps.