Oregon Health & Science University is notifying some 4,000 patients after an unencrypted laptop containing their personal health information was stolen. Officials say the laptop was stolen from an OHSU surgeon's Hawaii vacation rental late February.
This is OHSU's third reported HIPAA breach involving more than 500 individuals since 2009, all incidents involving stolen and unencrypted devices.
Officials say patient data was located within the email program on the laptop -- the majority contained in daily surgery schedules that are emailed to surgeons. The laptop included the personal health information of 4,022 patients, including patient names, genders, dates of birth, medical record numbers, type of surgery, surgery dates and locations and patients' surgeon.
In addition, OHSU security investigators determined that a small number of the approximately 5,000 emails stored on the laptop contained Social Security numbers for a total of 17 patients.
Officials say encryption was required only for laptops used for patient care. Because the laptop in question was purchased and used for research purposes, it was not encrypted. In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements.
However, this is OHSU's third large HIPAA breach reported within the last few years. Reported back in June 2009, an unencrypted laptop containing personal health information of some 1,000 patients was stolen from an employee's car. In a July 2012 incident, a thumb drive an employee brought home without authorization was stolen. The thumb drive contained personal health information of 14,000 patients. Only 702 patients, however, were notified, as officials say the drive contained additional data on those patients.
"OHSU believes cash and physical items were the target of the burglars, not the data within the email program on the computer. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved,” explained Ronald Marcum, MD, OHSU's chief privacy officer and director of OHSU's Integrity Office, in a press statement. "However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”
OHSU representatives were unable to immediately contact patients following the theft because there was a significant amount of effort required to determine what was on the stolen computer. OHSU security experts needed to investigate which emails were on the laptop. Then they needed to examine those 5,000 emails individually to identify precisely what data was on the stolen computer and how many people were affected.
OHSU sent letters to the affected patients late last week. Patients who were impacted should receive letters in the mail within a week.
According to the Office for Civil Rights, some 65,000 breach reports have been reported since 2009, yielding an estimated $50 million from enforcement activity.