DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

University of Oklahoma’s Urology Clinic notifying 9,300 of possible HIPAA breach after yet another laptop is stolen from a physician’s car

Posted on October 14, 2015 by Dissent

In July, the University of Oklahoma College of Medicine – Department of Obstetrics & Gynecology notified almost 7,700 patients after a laptop was stolen from physician’s car.

Now the University of Oklahoma’s Urology Clinic is notifying 9,300 patients about the theft of another laptop with protected health information.

From their statement:

The University of Oklahoma takes patient privacy seriously and, out of an abundance of caution, has mailed letters to notify certain patients of a potential privacy matter. On or about August 14, 2015, the University was made aware that a laptop that may have included limited patient health information had been stolen from a physician who formerly worked for the University of Oklahoma Department of Urology. The theft occurred during the overnight hours of July 16 – July 17. The physician immediately contacted the local police and reported the theft of the laptop. The physician may have had a data base spreadsheet stored on the laptop, which was password-protected but not encrypted. The spreadsheet may have contained limited information from pediatric urology procedures occurring between 1996 and 2009, such as patient name, diagnosis and treatment codes and dates (most between 1996-2006), date of birth or age, a brief description of a urologic medical treatment or procedure, medical record number, and the treating physician’s name. Social Security numbers were not included. Addresses were not included. No credit or account information was included.

Possible theft of PHI from an unattended vehicle is bad enough, and the fact that this is the second laptop theft from a vehicle in relatively short order is certainly concerning, but here’s the part that may really raise an eyebrow or two at OCR:

The University determined on or about September 18 that the former physician and his current employer had not yet notified the University patients whose information may have been on the laptop, so the University is doing so.

Why would the University harbor any thought that the current employer would notify UO’s patients, when it was UO’s responsibility to protect their patients’ information?

And if that’s not serious enough, consider the fact that they didn’t know the physician had retained patient information:

The Department was not aware that the physician had taken any of its patient information with him when he left the University. The University has policies that generally prohibit the removal of documents that contain patient information from its premises and that require employees to protect patient information on laptops at all times, including by storing it securely.

The physician is not certain that patient information was on the laptop, but the University wanted to notify patients of this incident and assure them that this matter is being taken seriously. In addition, the University is offering to provide a one-year subscription to credit monitoring and reporting services at no cost to the patients whose information may have been on the spreadsheets, to address any concerns they may have.

The Department is taking additional steps to help prevent similar incidents from occurring and is providing additional training to employees on the importance of securing patient information. Individuals who believe they may be affected but who have not received a letter from the University may contact the Office of Compliance at 405-271-2511 or toll-free at 1-866-836-3150.

I’d love to know what those additional steps are to prevent a recurrence.

Category: Health DataTheftU.S.

Post navigation

← Vote imminent on controversial US cyber security ‘sharing’ bills?
US taxman slammed: Half of the IRS’s servers still run doomed Windows Server 2003 →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • AMI Group – Travel & Tours notice of ransomware attack
  • Resource: Insider Threat reports
  • Za: Cyber extortionist sentenced to eight years in jail
  • ICE takes steps to deport the Australian hacker known as “DR32”
  • Hearing on the Federal Government and AI
  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Decision That Murdered Privacy
  • Hearing on the Federal Government and AI
  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.