KATU reports:
Oregon Health and Science University is contacting more than 4,000 patients after a laptop containing some of their personal information was stolen from a vacation rental home in Hawaii last month.
Information from 4,022 patients was on the computer, according to OHSU spokesman Jim Newman. The surgeon who had the computer was using it for research purposes, so it was not encrypted.
Say what? Because it was being used for research, it wasn’t encrypted? According to coverage of the breach in the Portland Business Journal:
All OHSU laptops are password protected, but encryption is used only on laptops used for patient care. The laptop stolen in Hawaii was used for research and wasn’t encrypted.
The surgeon who used the computer received e-mails related to patient care, but believed they would be housed on OHSU’s secure e-mail network. But more recent e-mails are stored on the computer’s hard drive. To prevent this from happening again, OHSU said it has enacted more stringent encryption requirements.
The Columbian also covers the breach:
Information in those schedules was limited to patient names; OHSU patient medical record numbers; type of surgery; surgery dates, times and locations; patient gender and age; and names of the surgeon and anesthesiologist.
OHSU security investigators also determined that a small number of the approximately 5,000 emails contained social security numbers for a total of nine patients. Those patients are being offered free identity theft monitoring.
Read more on The Columbian.