Since 2009, the Oregon Health & Science University (OHSU) has experienced a total of four HIPAA breaches involving compromised protected health Information (PHI), with the most recent requiring the notification of 3,044 patients.
The breach occurred when a number of physicians in training and residents used Google Cloud Services to maintain a spreadsheet of their patient’s data. According to officials, the Google cloud Internet-based service provider isn’t a business associate of OHSU, and they don’t have a contractual agreement to store or use OHSU’s PHI.
Among OHSU’s four HIPAA breaches, this is the third largest breach in the past two years alone. The compromised data included patient names, ages, medical record numbers, diagnoses, provider names, and dates of services. In addition, 731 of these patients had their addresses compromised. The 3,044 patients affected had been admitted to the hospital between January 1st 2011 and July 3rd 2013.
The Chief Information Security Officer at OHSU, John Rasmussen, explained in a company notice:
“We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency, and our obligation to report unauthorized access of personal health information to federal agencies, we are contacting all affected patients.”
In addition, he apologized for any inconveniences caused by the breach, and admitted that he worries this may cost the hospital their patients and the patients’ families as well.
Once OHSU security officials discovered the incident, they teamed up with OHSU information privacy and launched an investigation to determine who was impacted, as well as how likely the disclosed information would harm patients.
The investigation led to the discovery of a similar event that occurred in May 2013 in the Department of Urology and Kidney Transplant Services. When investigating this incident, OHSU officials discovered that physicians in training and residents of the Plastic and Reconstructive Surgery Division were also using cloud services to maintain patient information in spreadsheets. According to an OHSU notice, they wanted to share information and note who had been admitted to the hospital using the Google spreadsheets.
Just last March, OHSU was required to notify 4,000 patients after an unencrypted laptop containing patient health information was stolen during an OHSU surgeon’s vacation.
Patients’ health information has been removed from the Internet-based service, and residents have been educated and re-educated about the importance of using OHSU-approved tools for updating and sharing patient information safely.