OHSU Contacts 4,000 Surgery Patients After Data Breach

April 10, 2013
Oregon Health & Science University (OHSU) is in the midst of contacting approximately 4,000 patients after a laptop containing some of their personal information was stolen. The laptop was taken during a burglary at an OHSU surgeon's vacation rental home while in Hawaii in late February.

Oregon Health & Science University (OHSU) is in the midst of contacting approximately 4,000 patients after a laptop containing some of their personal health information was stolen. The laptop was taken during a burglary at an OHSU surgeon's vacation rental home while in Hawaii in late February.

Officials say that the computer's desktop and documents folder did not contain sensitive data; almost all of the patient information was contained within daily surgery schedules that are e-mailed to surgeons scheduled to operate in OHSU's operating rooms. Those schedules attached to e-mails were for surgeries that took place in late 2012 through February 20, 2013. Information located in those daily schedules was limited to:

  • Patient names
  • OHSU patient medical record numbers
  • Type of surgery for each patient
  • Surgery dates, times and locations (limited to surgeries in late 2012 through Feb. 20, 2013)
  • Patient gender
  • Patient age
  • Name of the surgeon and anesthesiologist

In addition, OHSU security investigators determined that a small number of the approximately 5,000 emails stored on the laptop contained Social Security numbers for a total of 17 patients, who are being offered free identity theft monitoring.

Officials said encryption was required only for laptops used for patient care. Because the laptop in question was purchased and used for research purposes, it was not encrypted. In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements.

"OHSU believes cash and physical items were the target of the burglars, not the data within the e-mail program on the computer. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved,” Ronald Marcum, M.D., OHSU's chief privacy officer and director of OHSU's Integrity Office, said in a statement. "However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”

OHSU sent letters to the affected patients late last week. Patients who were impacted should receive letters in the mail within a week.

Sponsored Recommendations

AI-Driven Healthcare: Empowering Nurses, Clinicians, and Care Teams for Smarter, More Efficient Care

Explore how AI-first ThinkAndor® is transforming nursing workflows and patient care at Sentara, improving outcomes, reducing readmissions, and enhancing care transitions in this...

The Future of Storage: The Complexities and Implications in Healthcare

Join us on January 23rd to explore the future of data storage in healthcare and learn how strategic IT decisions today can shape agility and competitiveness for tomorrow.

IT Healthcare Report: Technology Insights for a Transformative Future

Explore the latest healthcare IT trends, challenges, and opportunities in AI, patient care, and security. Gain actionable insights to navigate the industry's transformation.

How to Build Trust in AI: The Data Leaders’ Playbook

This eBook strives to provide data leaders like you with a comprehensive understanding of the urgent need to deliver high-quality data to your business. It also reviews key strategies...