The Oregon Health & Science University has notified 3,044 patients that their protected health information has been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data.
The Google cloud Internet-based service provider is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information, according to officials.
This is OHSU’s fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.
The data for the majority of the patients compromised included patient names, medical record numbers, ages, provider names, diagnoses and dates of service. For 731 of those patients, the data also included addresses.
This past May, an OHSU official discovered residents and physicians-in-training within the Division of Plastic and Reconstructive Surgery were using cloud services to maintain a spreadsheet of patients. Their intent, according to an OHSU notice, was to provide each other accurate information about who was admitted to the hospital under the care of their division.
Upon learning of the incident, OHSU information privacy and security officials launched an investigation to the information stored, who was impacted and the likelihood that disclosure of the information could cause harm to the patients involved. This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services. After weeks spent reconstructing the data, officials discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected.
"We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients," said John Rasmussen, chief information security officer at OHSU, in a company notice. "We sincerely apologize for any inconvenience or worry this may cause our patients or their families."
All OHSU patient health information found on the Internet-based service has been removed, and all residents have been re-educated about the critical importance of using OHSU-approved tools for securely sharing and updating patient information.
This is OHSU's fourth large HIPAA breach reported within the last few years. Reported back in June 2009, an unencrypted laptop containing personal health information of some 1,000 patients was stolen from an employee's car.
In a July 2012 incident, an unencrypted thumb drive an employee brought home without authorization was stolen. The thumb drive contained personal health information of 14,000 patients. Only 702 patients, however, were notified, as officials say the drive contained additional data on those patients.
And just in March, OHSU notified some 4,000 patients after an unencrypted laptop containing their personal health information was stolen from an OHSU surgeon's Hawaii vacation rental.