- Oregon Health and Science University (OHSU) recently signed a resolution agreement with the Office for Civil Rights (OCR) following two health data breaches it suffered in 2013.
OHSU will pay $2.7 million as part of the agreement, and will also need to follow a three-year corrective action plan, according to a university statement.
“Patient privacy has been and always will be a top priority at OHSU,” OHSU Chief Information Officer Bridget Barnes said. “OHSU is continuously working to improve protection of patient information data in a constantly changing security and technology landscape.”
The first data breach occurred when an unencrypted laptop was stolen from a surgeon’s Hawaiian vacation rental home. The device reportedly contained patient names, medical record numbers, types of surgeries, dates of surgeries, and names of surgeons. OHSU stated that 4,022 patients received data breach notification letters from that incident, and the university also offered free identity theft monitoring for patients who were at risk for identity theft.
The second data breach that OHSU reported to OCR took place in July 2013. In that incident, the university notified 3,044 patients that it had stored their data using a non-business associate in internet-based service provider Google.
Specifically, OHSU used Google Mail and Google Drive, which do have have security features in place, such as password protection. However, with Google not being an official business associate, there was also no contractual agreement in place to use or store OHSU patient health information.
Google’s terms of service allegedly stated that the data stored with its infrastructure can be used for the “purpose of operating, promoting, and improving [its] Services, and to develop new ones.” At the time of the reported data breach, OHSU was not able to confirm with Google that the PHI in question had not been, and would not be used used to develop Google services.
However, in September 2013, Google began offering business associate agreements for Google Apps. The three apps affected by the announcement were Gmail, Calendar and Drive. Even so, the agreement did not include coverage if users spread PHI to other Google apps.
The two 2013 data breaches were “stark reminders” to how OHSU must remain vigilant in keeping patient data secure, Barnes added in her statement.
“We made significant data security enhancements at the time of the incidents and now are investing at an unprecedented level in proactive measures to further safeguard patient information,” she said.
OHSU also reported that it will work with an external information security consultant and will also convene a multidisciplinary steering committee from across the university to ensure it meets all the corrective action plan requirements.
Furthermore, OHSU integrity and information security experts will work with the security consultant and its steering committee to identify any patient information security risks or vulnerabilities. Regular reports will be sent to OCR, and the university will then implement any necessary mitigation strategies.
According to Barnes, patients can greatly benefit from having access to electronic records and having email access at multiple locations. However, these new technological advances also come with security challenges.
“In the face of these challenges, OHSU is proactively working to ensure the creation of a sustainable gold standard for protected health information security and HIPAA compliance,” Barnes maintained.