The Oregon Health and Science University (OHSU) sent 4,022 patient data breach notification letters last week about a month after a surgeon’s unencrypted laptop was stolen from their Hawaii vacation rental home.
According to katu.com, the laptop was unencrypted because it had been intended for research purposes and it included patient names, medical record numbers, types of surgeries, dates of surgeries, and names of surgeons. Much of the data was derived from OHSU daily surgery schedules and 5,000 emails from late 2012 through February 20, 2013. And nine patients’ Social Security numbers were included in the laptop’s email, but the article stated that they’re being offered free identity theft monitoring by the university.
“OHSU believes cash and physical items were the target of the burglars, not the data within the email program on the computer. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved,” said Ronald Marcum, M.D., M.S., OHSU’s chief privacy officer and director of OHSU’s Integrity Office to katu.com. “However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”
The reason for the delay from learning about the breach to notifying patients was OHSU wasn’t sure at first what data was on the laptop. Ironically, the Portland Business Journal reported that all OHSU laptops are password protected, but only laptops used for patient care are encrypted. The surgeon had been under the impression that all emails with patient data were secured in OHSU’s email server. In response to the breach, the university said it will mandate stronger encryption practices on its devices.
Katu.com also reported that there’s a history of this type of breach at OHSU. A doctor’s unencrypted computer was stolen out of his parked car at his Washington County home in 2009 and an OHSU laptop with 900 patient records was stolen from a motel in 2008.
PHIPrivacy.net helped point out some of this data breach’s information.