DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OHSU says data about some patients and employees stolen in a home burglary

Posted on August 1, 2012 by Dissent

Crossposted from PHIprivacy.net:

Oregon Health & Science University Hospital officials have posted a notice on their web site. While most of the notice concerns patient information, it appears that almost 200 employees had their Social Security Numbers on the stolen USB drive.

OHSU has set up a toll free number to respond to patient questions. Information stored on the stolen computer drive was used to track the care of premature infants. Unless your past interactions with OHSU involved the care of a premature or newborn infant cared for in the neonatal ICU, your information was not on the stolen computer drive. If you still have questions, call this toll free number to speak with a representative: 1-855-650-6955.

Oregon Health & Science University Hospital officials are sending letters to the families of 702 pediatric patients after a USB drive containing some of their patient information was stolen. In total, data for more than 14,000 patients was stored on the drive, along with information for about 200 OHSU employees.

The incident does not impact all OHSU patients, but affects a limited number of premature pediatric patients who were screened for vision issues. In the vast majority of cases, the data is very limited in scope. None of the patient data is the kind of information typically used for identity theft. Nearly all the patient data was password-protected, and all of the data can only be opened by software not commonly found on personal computers. Nevertheless, OHSU is contacting patients to make them aware of the situation.

The thumb drive carrying the data was stolen during the burglary of an OHSU employee’s home July 4 or 5. The employee inadvertently took the USB drive home in a briefcase at the end of the workday. During the home burglary, the briefcase along with several other items was stolen.

Prior to the theft, the drive was used to back up data from one OHSU computer system to another and is normally locked in a secure location on campus after use. Since the theft occurred, OHSU has conducted an extensive investigation into exactly what was taken and the steps needed to access the password-protected data and open the files in a readable format.

Following is a list of the data contained on the stolen drive:

  • Pediatric patient information (name, date of birth, phone number, address, OHSU medical record number, and a one- to four-word description of the patient’s medical condition, or family medical history in some cases) for approximately 14,300 patients. The data is gathered to track the results of vision screenings for newborns born prematurely. Nearly all of this data is password-protected, and all of it is in an uncommon file format. A subset of the data for these patients was slightly more sensitive because it contains data that is considered more personal. These patients (702 in total) are receiving letters from OHSU this week.
  • A database of OHSU staff information, including names, Social Security numbers, addresses, employment-related vaccination information for 195 OHSU employees.

“Based on the home burglary investigation, the motive of the thieves appeared to be stealing items, such as jewelry, that could quickly be resold for money,” explained Ron Marcum, M.D., interim chief corporate integrity officer in the OHSU Integrity Office.

“It’s likely that the USB drive was never the target. In fact, other computer equipment in the home was left untouched. Nevertheless, based on our investigation, we are contacting families because we think it’s the right thing to do. We are also reporting the theft to the federal office that manages health information privacy and a police report was filed.”

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

In regard to this case, while the stolen USB drive was never intended to leave campus, OHSU has been working to develop methods for ensuring USB drives are encrypted. OHSU plans to step up these efforts in light of this incident.

OHSU has also created an FAQ on the breach. It says, in part:

The stolen drive contained records for more than 14,000 people, yet you are only contacting 702 patients. Why not contact the entire group?
None of the patient data included Social Security numbers or other data typically used for identity theft. Also, nearly all the data was password-protected. However, in 702 cases, records referenced health conditions that are a bit more personal or might be an embarrassment for a patient if disclosed. We are contacting that subgroup – not because they are in any significant heightened risk – because we want them to be aware of the nature of the data as it pertains to them.

This is the third case of off-premises data theft that OHSU has reported in recent years. In 2008, they notified 890 patients after a laptop was stolen from an employee attending a conference in Chicago. In 2009, they notified 1,000 patients after a laptop was stolen from a physician’s car parked outside his home.

Related posts:

  • OHSU says data about some patients and employees stolen in a home burglary
  • Oregon Health & Science University notifies patients of ‘cloud’ health information storage
  • Recent Oregon Health & Science University breach was their fourth breach involving unencrypted information
  • OHSU laptop containing patient information stolen from researcher's vacation rental home
Category: Breach IncidentsHealth DataTheftU.S.

Post navigation

← UK: Medical notes are found in Bournemouth street
IL: Court documents left in plain view →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.