DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Oregon Health & Science University notifies patients of ‘cloud’ health information storage

Posted on July 28, 2013 by Dissent

Oregon Health & Science University is notifying 3,044 patients that their OHSU health information was stored on an Internet-based email and/or document storage service, also known as a “cloud” computing system.

Although the Internet-based service provider (Google Drive, Google Mail) is password-protected and has security measures and policies in place to protect information, it is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information.

There is no evidence that the data was accessed or used by anyone who did not have a legitimate patient care need to view the information. However, the terms of service indicate the data stored with the Internet-based provider can be used for the “purpose of operating, promoting, and improving [its] Services, and to develop new ones.” OHSU has been unable to confirm with the Internet service provider that OHSU health information has not been, and will not be, used for these purposes. Consequently, OHSU is notifying all affected patients.

In May 2013, an OHSU School of Medicine faculty member discovered residents, or physicians-in-training, in the Division of Plastic and Reconstructive Surgery were using Internet-based services to maintain a spreadsheet of patients. Their intent was to provide each other up-to-date information about who was admitted to the hospital under the care of their division.

Upon learning of the incident, OHSU Information Privacy and Security experts undertook an extensive investigation to determine what information was stored on the Internet-based service, who was impacted and the likelihood that disclosure of the information could cause harm to the patients involved. This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services. After weeks spent reconstructing the data, the privacy and security experts discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected.

The data stored with the Internet service provider included the patient’s name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address. For 617 patients, neither the reason for hospital stay, or diagnosis, nor the patient’s prognosis, or projected outcome, was among the stored data. The data DID NOT include the patient’s Social Security Number, insurance information, credit card information, bank information, phone number or date of birth.

“We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients. We sincerely apologize for any inconvenience or worry this may cause our patients or their families,” said John Rasmussen, OHSU’s Chief Information Security Officer.

All OHSU patient health information found on the Internet-based service has been removed, and all residents have been re-educated about the critical importance of using OHSU-approved tools for securely sharing and updating patient information.”

A 1-800-number has been established to answer patient questions and concerns. That number is 877 819-9774. The hotline will be staffed Monday through Friday, 6 a.m.to 6 p.m.

Letters were sent to affected patients July 26, 2013.

SOURCE: Oregon Health & Science University

Note that this is OHSU’s fifth breach that I’ve reported on this blog since 2008:

  • In December 2008, they notified 890 patients whose PHI was on a laptop stolen from an employee attending a conference in Chicago;
  • In June 2009 – also before HITECH went into effect – OHSU notified 1000 patients that their names, treatment information and medical record numbers were on a laptop stolen from a physician’s car outside the doctor’s home (subscription and login required)
  • In July 2012, more than 14,000 pediatric patients and 200 employees had data on a USB drive stolen in a home burglary; and
  • In March 2013, they reported that more than 4,000 patients had PHI on a laptop stolen from a researcher’s rental home.

 

Category: Health Data

Post navigation

← VisLink Surveillance Hacked, Accounts leaked and Partners Exposed
HALOCK Investigation Finds that 25% of Sampled Colleges and Universities Are Putting Student and Parent Private Financial Data at Risk →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.