DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OR: Corvallis Clinic laptop with PHI stolen from employee's car

Posted on December 10, 2014 by Dissent

From the web site of Corvallis Clinic:

Patient Privacy Disclosure

As guardians entrusted with maintaining information securely, we feel it is important to notify our patients of an incident involving a single laptop computer containing limited health information.  The laptop was stolen from a Corvallis Clinic employee’s locked car at a work-related conference in Portland in mid-November.

This was a breach of Clinic policy in that patient health information was reported to have been maintained on the employee’s personal laptop that had not been evaluated or cleared for use by The Clinic’s IT security officer.

The laptop was protected by a highly secure alpha-numeric password; however, the data was not encrypted. Nevertheless, a breach of patient health information is unlikely.

We take this issue very seriously and are truly sorry for any concern or inconvenience this may cause our patients.

FAQs

What type of patient information was stored on the laptop?

The information stored was limited to spreadsheets, so any patient health information that may be on the computer is limited in data. The Clinic IT staff and third-party computer forensic experts are in the process of fully investigating what may have been stored on the laptop.

Our investigation thus far has determined that the spreadsheet likely contained the following:

  • Patient name
  • Date of birth
  • Name of treating health care provider
  • Reason for visit

None of the information is known to include Social Security numbers or financial credit information. Also, only patients seen within the last two years are potentially on the spreadsheet.

What is The Clinic doing to find out more specifics about the information? How many patients does this potentially affect?

The Clinic’s primary ethical responsibility is to our patients. We are doing our due diligence to try to ascertain what information is contained on the spreadsheet and how many patients were listed. However, unless the laptop is recovered, the exact details of the information and the total number of patients listed may never be known.

The estimated number of patients affected will be reported to the U.S. Office of Civil Rights and the Department of Health and Human Services by mid-January, 2015.

How much time elapsed from the time of the theft to when the employee notified The Clinic?

The employee reported the theft to supervisors and authorities within 24 hours.

Why did The Clinic wait until now to notify patients? Should not patients have been notified immediately?

The Clinic needed time to begin analyzing what type of patient information was on the laptop. Per federal law, an organization has 60 days to notify the public of a possible breach of patient health information security. The Clinic is notifying the public and media earlier than required because we want our patients and the community to know that we take this issue very seriously and are dedicated to the privacy and security of patient information.

What steps has The Clinic taken to help prevent this from happening in the future?

The Clinic is doing its due diligence to remind employees of its policies and procedures related to its security of health information.

Will I be able to find out if any of my information was contained on the laptop?

The Clinic will be notifying the patients who possibly have been affected by mail or, if available, email.

Additional questions?

If you have more questions, call The Clinic’s Patient Privacy Office at 855-699-0716.

h/t, Corvallis Gazette-Times

Category: Uncategorized

Post navigation

← They Know You Buy Viagra and They Want to Sell You More
Audit finds flaws remain in U. Maryland network security, even after data breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.