OHSU pays nearly $3 million over two data breaches in 2013

Lynn Terry has the scoop on what appears to be a new HHS resolution agreement. There’s nothing up on HHS’s site or in my mailbox yet about this one, but I had covered the four breaches mentioned in her report as well as a more recent breach (search OHSU).

Oregon Health & Science University has agreed to pay federal authorities $2.7 million for two data breaches in 2013 that involved more than 7,000 patients.

OHSU also will enact a “rigorous three-year corrective action plan” as part of a resolution agreement with the U.S. Department of Health and Human Services Office for Civil Rights, according to a statement released Wednesday.

The two breaches occurred within three months of each other. One occurred after a surgeon’s laptop was stolen from a Hawaii vacation rental. The computer, which had information on 4,022 patients, was not encrypted. The other case involved newly minted physicians in residency programs for both plastic surgery and urology, and kidney transplants who used an internet-based storage device, or cloud service, to maintain a spreadsheet of patients. The spreadsheet had information on 3,044 people.

Read more on Oregon Live.

About the author: Dissent