OHSU Contacts 4,000 Surgery Patients After Data Breach

April 10, 2013
Oregon Health & Science University (OHSU) is in the midst of contacting approximately 4,000 patients after a laptop containing some of their personal information was stolen. The laptop was taken during a burglary at an OHSU surgeon's vacation rental home while in Hawaii in late February.

Oregon Health & Science University (OHSU) is in the midst of contacting approximately 4,000 patients after a laptop containing some of their personal health information was stolen. The laptop was taken during a burglary at an OHSU surgeon's vacation rental home while in Hawaii in late February.

Officials say that the computer's desktop and documents folder did not contain sensitive data; almost all of the patient information was contained within daily surgery schedules that are e-mailed to surgeons scheduled to operate in OHSU's operating rooms. Those schedules attached to e-mails were for surgeries that took place in late 2012 through February 20, 2013. Information located in those daily schedules was limited to:

  • Patient names
  • OHSU patient medical record numbers
  • Type of surgery for each patient
  • Surgery dates, times and locations (limited to surgeries in late 2012 through Feb. 20, 2013)
  • Patient gender
  • Patient age
  • Name of the surgeon and anesthesiologist

In addition, OHSU security investigators determined that a small number of the approximately 5,000 emails stored on the laptop contained Social Security numbers for a total of 17 patients, who are being offered free identity theft monitoring.

Officials said encryption was required only for laptops used for patient care. Because the laptop in question was purchased and used for research purposes, it was not encrypted. In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements.

"OHSU believes cash and physical items were the target of the burglars, not the data within the e-mail program on the computer. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved,” Ronald Marcum, M.D., OHSU's chief privacy officer and director of OHSU's Integrity Office, said in a statement. "However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”

OHSU sent letters to the affected patients late last week. Patients who were impacted should receive letters in the mail within a week.

Sponsored Recommendations

Trailblazing Technologies: Looking at the Top Technologies for the Emerging U.S. Healthcare System

Register for the first session of the Healthcare Innovation Spotlight Series today to learn more about 'Healthcare's New Promise: Generative AI', the latest technology that is...

Data: The Bedrock of Digital Engagement

Join us on March 21st to discover how data serves as the cornerstone of digital engagement in healthcare. Learn from Frederick Health's transformative journey and gain practical...

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...