As I read coverage around the internet, I saw a few reports on the recent OSHU breach that mentioned it was OHSU’s third reported HIPAA breach since 2009. Actually, it’s only the second breach that will appear on HHS’s breach tool, but it’s important to note that this was OHSU’s fourth HIPAA breach that we know about since 2008. And disturbingly, all four of them involved stolen devices with unencrypted patient information:
- In December 2008, OHSU notified 890 patients that a laptop stolen from a hotel where an employee was staying on business might contain patient records.
- In June 2009 – also before HITECH went into effect – OHSU notified 1000 patients that their names, treatment information and medical record numbers were on a laptop stolen from a physician’s car outside the doctor’s home.
- In July 2012, OHSU disclosed that 14,495 names and addresses with 14,300 dates of birth, phone numbers, medical numbers, 195 Social Security numbers and vaccination information were on a USB drive stolen from an employee’s home. OHSU only notified 702 of those affected, primarily those whose records “referenced health conditions that are a bit more personal or might be an embarrassment for a patient if disclosed.”
- And now, OHSU is notifying 4,022 patients whose information was on a researcher’s laptop stolen from a vacation rental home.
The question seems obvious: what the hell will it take before OHSU encrypts all devices? At what point do we – and HHS – say “enough is enough” and this is just downright negligent or failure to learn from experience? Maybe the doctor who left the laptop in the car violated protocols, but if the data had been encrypted, there wouldn’t have been a reportable breach. Maybe the employee who accidentally took the USB drive home made a mistake, but if the data had been encrypted, there wouldn’t have been a reportable breach. And maybe if OHSU had a policy of encrypting devices used for research purposes, the most recent laptop theft wouldn’t have been a reportable incident.
Approximately 20,000 people had their protected health information needlessly exposed and stolen because OHSU didn’t – and doesn’t – encrypt all devices containing PHI.
HHS has seemingly not closed its investigation of the July 2012 reported incident. The newest incident hasn’t even been added to their breach tool yet. But because HHS does not have records on the 2008 and 2009 incidents, they are likely to miss the big picture – that OHSU has had repeated and easily avoidable breaches.
And that’s a shame.