Third Data Breach at OHSU

data breachOregon Health and Science University has notified 4,000 patients of a data breach stemming from the theft of an unencrypted laptop.  The computer, which contained protected health information (PHI) including medical record numbers and types of surgeries, was used for research purposes, and only laptops used for patient care were being encrypted.

Officials at the school stated that most of the data was contained in daily surgery schedules and approximately 5,000 E-mails on the laptop computer.  The device was stolen from a vacationing surgeon’s rental home in Hawaii in late February, and the surgeon initially believed that the E-mails containing patient data were stored on the E-mail server, not locally.  OHSU’s Chief Privacy Officer Ronald Marcum, M.D. said in a press statement, “OHSU believes cash and physical items were the target of the burglars, not the data within the email program on the computer.  In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved.”  Nevertheless, the organization reached out to “all impacted persons” in the interest of patient security and transparency.

This incident is the third data breach at OHSU over the past four years.  In 2009, another laptop (containing PHI for approximately 1,000 patients) was stolen from a doctor’s parked car, and in July 2012, a USB thumb drive containing data for over 14,000 patients was inadvertently brought home by an employee, and the briefcase in which it was located was stolen during a home burglary.

The university has stated that it will mandate more stringent encryption practices as a result of the latest HIPAA breach, to prevent future occurrences. The Office for Civil Rights notes that almost 79,000 HIPAA complaints have been received since the compliance date of April 14, 2003.  OCR received the authority to administer and enforce the Security Rule on July 27, 2009.

Whether you are using medical billing software, electronic medical records software, or a full suite application like Medisoft Clinical or Lytec MD, keeping your data protected and secure is paramount to your practice’s well-being.  The healthcare technology consultants at Microwize Technology can help.