OR: Corvallis Clinic laptop with PHI stolen from employee's car

From the web site of Corvallis Clinic:

Patient Privacy Disclosure

As guardians entrusted with maintaining information securely, we feel it is important to notify our patients of an incident involving a single laptop computer containing limited health information.  The laptop was stolen from a Corvallis Clinic employee’s locked car at a work-related conference in Portland in mid-November.

This was a breach of Clinic policy in that patient health information was reported to have been maintained on the employee’s personal laptop that had not been evaluated or cleared for use by The Clinic’s IT security officer.

The laptop was protected by a highly secure alpha-numeric password; however, the data was not encrypted. Nevertheless, a breach of patient health information is unlikely.

We take this issue very seriously and are truly sorry for any concern or inconvenience this may cause our patients.


What type of patient information was stored on the laptop?

The information stored was limited to spreadsheets, so any patient health information that may be on the computer is limited in data. The Clinic IT staff and third-party computer forensic experts are in the process of fully investigating what may have been stored on the laptop.

Our investigation thus far has determined that the spreadsheet likely contained the following:

  • Patient name
  • Date of birth
  • Name of treating health care provider
  • Reason for visit

None of the information is known to include Social Security numbers or financial credit information. Also, only patients seen within the last two years are potentially on the spreadsheet.

What is The Clinic doing to find out more specifics about the information? How many patients does this potentially affect?

The Clinic’s primary ethical responsibility is to our patients. We are doing our due diligence to try to ascertain what information is contained on the spreadsheet and how many patients were listed. However, unless the laptop is recovered, the exact details of the information and the total number of patients listed may never be known.

The estimated number of patients affected will be reported to the U.S. Office of Civil Rights and the Department of Health and Human Services by mid-January, 2015.

How much time elapsed from the time of the theft to when the employee notified The Clinic?

The employee reported the theft to supervisors and authorities within 24 hours.

Why did The Clinic wait until now to notify patients? Should not patients have been notified immediately?

The Clinic needed time to begin analyzing what type of patient information was on the laptop. Per federal law, an organization has 60 days to notify the public of a possible breach of patient health information security. The Clinic is notifying the public and media earlier than required because we want our patients and the community to know that we take this issue very seriously and are dedicated to the privacy and security of patient information.

What steps has The Clinic taken to help prevent this from happening in the future?

The Clinic is doing its due diligence to remind employees of its policies and procedures related to its security of health information.

Will I be able to find out if any of my information was contained on the laptop?

The Clinic will be notifying the patients who possibly have been affected by mail or, if available, email.

Additional questions?

If you have more questions, call The Clinic’s Patient Privacy Office at 855-699-0716.

h/t, Corvallis Gazette-Times

About the author: Dissent

Comments are closed.