Healthcare Information Security

Cloud News

OIG Finds Unprotected PII in Federal Cloud Computing System

Several OIG reports found that the General Services Administration had unprotected PII in its cloud computing system, making data available to unauthorized individuals.

Cloud computing must ensure that PHI and PII do not go unprotected

Source: Thinkstock

By Elizabeth Snell

- With more organizations utilizing cloud computing options, including the healthcare industry, it is essential that necessary security measures are taken. A failure to do so could leave PHI or PII unprotected and vulnerable, potentially falling into the wrong hands.

The Office of Inspector General (OIG) recently released reports detailing how one federal agency had lackluster PII security, allowing data to be potentially accessible to unauthorized individuals.

The General Services Administration’s (GSA) cloud computing system left PII unprotected in instances dating back to 2014, OIG found. The reports were not immediately made public because OIG was worried that “the reports presented information about then existing security vulnerabilities.”

OIG noted that by releasing the results from the audits at this time does not “imply that a new event has occurred.”

A data breach was found in the GSA cloud computing environment, containing “sensitive but unclassified building information” and PII, the report stated.

In this situation, PII includes medical history, along with other identifying factors such as education, financial transactions, and criminal or employment history. Additionally, names, Social Security numbers, dates of birth, and biometric records may be included in the definition of PII, OIG stated.

“The sensitive information was accessible to GSA employees and contractors without a valid need to know such information,” OIG explained. “We determined that GSA was not proactive in securing sensitive data in its Google cloud computing environment and has not taken a comprehensive approach to correct the problem.”

OIG first noticed the issue on July 29, July 30, and August 7, 2014. On August 19, 2014, it issued an alert report. Approximately 900 individuals were affected by the incident. GSA sent breach notifications to nearly 600 of those individuals on August 18 and August 20, 2014.

However, the notification was not descriptive, according to OIG, and it “minimized the severity of the breach to those affected.”

“During our audit, we reviewed a limited number of these documents and found PII was accessible to those without a valid need to know the information,” the report’s authors explained. “We do not know how many of the unreviewed documents in GSA’s Google cloud computing environment contain unprotected sensitive content.”

Because of this, OIG added that it could not definitively state that all instances of unprotected PII had been found.

In the case of this specific breach, it was also found that GSA did not provide signed Memorandums of Understanding from the Google site owners, having them accept responsibility for owning and operating the sites.

Specifically, GSA IT did not fully implement four of the 47 action steps in the proposed action plan from OIG.

  • Complete three action steps requiring Google Sites owners to sign a memorandum of understanding (MOU) accepting responsibility for the proper operation of their site. This requirement only applied to site owners who wished to continue allowing GSA-wide access to their site
  • Fully implement an action step to notify affected individuals for whom the Agency identified a moderate or high risk of potential harm based on the PII involved.

GSA had been one of the first federal government agencies to adopt a cloud computing system, OIG explained in its report. The transition process gave GSA employees access to collaboration tools, including Google Groups, Sites, and Docs.

This situation should provide a strong reminder to healthcare organizations that data security is essential, and must be updated as new technologies and systems are implemented into daily operations. Furthermore, business associate agreements are necessary if other entities are going to be handling or storing patient PHI.

In July 2016, Oregon Health & Science University (OHSU) agreed to a $2.7 million OCR HIPAA settlement following alleged HIPAA violations.

OCR investigated two alleged data breaches, one of which involved inappropriate use of Google Docs. OHSU reportedly utilized Google Mail and Google Drive, which do have have security features in place, such as password protection. Google was not an official business associate with OHSU, so there was no contractual agreement in place to use or store OHSU patient health information.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks