OHSU says data about some patients and employees stolen in a home burglary

Crossposted from PHIprivacy.net:

Oregon Health & Science University Hospital officials have posted a notice on their web site. While most of the notice concerns patient information, it appears that almost 200 employees had their Social Security Numbers on the stolen USB drive.

OHSU has set up a toll free number to respond to patient questions. Information stored on the stolen computer drive was used to track the care of premature infants. Unless your past interactions with OHSU involved the care of a premature or newborn infant cared for in the neonatal ICU, your information was not on the stolen computer drive. If you still have questions, call this toll free number to speak with a representative: 1-855-650-6955.

Oregon Health & Science University Hospital officials are sending letters to the families of 702 pediatric patients after a USB drive containing some of their patient information was stolen. In total, data for more than 14,000 patients was stored on the drive, along with information for about 200 OHSU employees.

The incident does not impact all OHSU patients, but affects a limited number of premature pediatric patients who were screened for vision issues. In the vast majority of cases, the data is very limited in scope. None of the patient data is the kind of information typically used for identity theft. Nearly all the patient data was password-protected, and all of the data can only be opened by software not commonly found on personal computers. Nevertheless, OHSU is contacting patients to make them aware of the situation.

The thumb drive carrying the data was stolen during the burglary of an OHSU employee’s home July 4 or 5. The employee inadvertently took the USB drive home in a briefcase at the end of the workday. During the home burglary, the briefcase along with several other items was stolen.

Prior to the theft, the drive was used to back up data from one OHSU computer system to another and is normally locked in a secure location on campus after use. Since the theft occurred, OHSU has conducted an extensive investigation into exactly what was taken and the steps needed to access the password-protected data and open the files in a readable format.

Following is a list of the data contained on the stolen drive:

  • Pediatric patient information (name, date of birth, phone number, address, OHSU medical record number, and a one- to four-word description of the patient’s medical condition, or family medical history in some cases) for approximately 14,300 patients. The data is gathered to track the results of vision screenings for newborns born prematurely. Nearly all of this data is password-protected, and all of it is in an uncommon file format. A subset of the data for these patients was slightly more sensitive because it contains data that is considered more personal. These patients (702 in total) are receiving letters from OHSU this week.
  • A database of OHSU staff information, including names, Social Security numbers, addresses, employment-related vaccination information for 195 OHSU employees.

“Based on the home burglary investigation, the motive of the thieves appeared to be stealing items, such as jewelry, that could quickly be resold for money,” explained Ron Marcum, M.D., interim chief corporate integrity officer in the OHSU Integrity Office.

“It’s likely that the USB drive was never the target. In fact, other computer equipment in the home was left untouched. Nevertheless, based on our investigation, we are contacting families because we think it’s the right thing to do. We are also reporting the theft to the federal office that manages health information privacy and a police report was filed.”

OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.

In regard to this case, while the stolen USB drive was never intended to leave campus, OHSU has been working to develop methods for ensuring USB drives are encrypted. OHSU plans to step up these efforts in light of this incident.

OHSU has also created an FAQ on the breach. It says, in part:

The stolen drive contained records for more than 14,000 people, yet you are only contacting 702 patients. Why not contact the entire group?
None of the patient data included Social Security numbers or other data typically used for identity theft. Also, nearly all the data was password-protected. However, in 702 cases, records referenced health conditions that are a bit more personal or might be an embarrassment for a patient if disclosed. We are contacting that subgroup – not because they are in any significant heightened risk – because we want them to be aware of the nature of the data as it pertains to them.

This is the third case of off-premises data theft that OHSU has reported in recent years. In 2008, they notified 890 patients after a laptop was stolen from an employee attending a conference in Chicago. In 2009, they notified 1,000 patients after a laptop was stolen from a physician’s car parked outside his home.

About the author: Dissent

Comments are closed.