DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OHSU says data about some patients and employees stolen in a home burglary

Posted on August 1, 2012 by Dissent

Crossposted from PHIprivacy.net:

Oregon Health & Science University Hospital officials have posted a notice on their web site. While most of the notice concerns patient information, it appears that almost 200 employees had their Social Security Numbers on the stolen USB drive.

OHSU has set up a toll free number to respond to patient questions. Information stored on the stolen computer drive was used to track the care of premature infants. Unless your past interactions with OHSU involved the care of a premature or newborn infant cared for in the neonatal ICU, your information was not on the stolen computer drive. If you still have questions, call this toll free number to speak with a representative: 1-855-650-6955.

Oregon Health & Science University Hospital officials are sending letters to the families of 702 pediatric patients after a USB drive containing some of their patient information was stolen. In total, data for more than 14,000 patients was stored on the drive, along with information for about 200 OHSU employees.

The incident does not impact all OHSU patients, but affects a limited number of premature pediatric patients who were screened for vision issues. In the vast majority of cases, the data is very limited in scope. None of the patient data is the kind of information typically used for identity theft. Nearly all the patient data was password-protected, and all of the data can only be opened by software not commonly found on personal computers. Nevertheless, OHSU is contacting patients to make them aware of the situation.

The thumb drive carrying the data was stolen during the burglary of an OHSU employee’s home July 4 or 5. The employee inadvertently took the USB drive home in a briefcase at the end of the workday. During the home burglary, the briefcase along with several other items was stolen.

Prior to the theft, the drive was used to back up data from one OHSU computer system to another and is normally locked in a secure location on campus after use. Since the theft occurred, OHSU has conducted an extensive investigation into exactly what was taken and the steps needed to access the password-protected data and open the files in a readable format.

Following is a list of the data contained on the stolen drive:

  • Pediatric patient information (name, date of birth, phone number, address, OHSU medical record number, and a one- to four-word description of the patient’s medical condition, or family medical history in some cases) for approximately 14,300 patients. The data is gathered to track the results of vision screenings for newborns born prematurely. Nearly all of this data is password-protected, and all of it is in an uncommon file format. A subset of the data for these patients was slightly more sensitive because it contains data that is considered more personal. These patients (702 in total) are receiving letters from OHSU this week.
  • A database of OHSU staff information, including names, Social Security numbers, addresses, employment-related vaccination information for 195 OHSU employees.

“Based on the home burglary investigation, the motive of the thieves appeared to be stealing items, such as jewelry, that could quickly be resold for money,” explained Ron Marcum, M.D., interim chief corporate integrity officer in the OHSU Integrity Office.

“It’s likely that the USB drive was never the target. In fact, other computer equipment in the home was left untouched. Nevertheless, based on our investigation, we are contacting families because we think it’s the right thing to do. We are also reporting the theft to the federal office that manages health information privacy and a police report was filed.”

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

In regard to this case, while the stolen USB drive was never intended to leave campus, OHSU has been working to develop methods for ensuring USB drives are encrypted. OHSU plans to step up these efforts in light of this incident.

OHSU has also created an FAQ on the breach. It says, in part:

The stolen drive contained records for more than 14,000 people, yet you are only contacting 702 patients. Why not contact the entire group?
None of the patient data included Social Security numbers or other data typically used for identity theft. Also, nearly all the data was password-protected. However, in 702 cases, records referenced health conditions that are a bit more personal or might be an embarrassment for a patient if disclosed. We are contacting that subgroup – not because they are in any significant heightened risk – because we want them to be aware of the nature of the data as it pertains to them.

This is the third case of off-premises data theft that OHSU has reported in recent years. In 2008, they notified 890 patients after a laptop was stolen from an employee attending a conference in Chicago. In 2009, they notified 1,000 patients after a laptop was stolen from a physician’s car parked outside his home.

Category: Breach IncidentsHealth DataTheftU.S.

Post navigation

← UK: Medical notes are found in Bournemouth street
IL: Court documents left in plain view →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.