Latest hospital data breach involves cloud services

So far, healthcare data breaches have primarily involved lost or stolen smartphones, laptops, tablets or thumb drives. A recent transgression at the Oregon Health & Science University, however, has added a new area of concern: Unsecured cloud platforms.

OHSU officials recently notified more than 3,000 patients that their health information had been compromised after residents and physicians-in-training in three departments used Google cloud services to share patient data. Officials said the university doesn't have a contractual agreement to use the cloud-based ISP.

According to officials, the university discovered in May that residents and physicians-in-training in the Division of Plastic and Reconstructive Surgery were using cloud services to maintain a spreadsheet of patients, which included names, ID numbers, ages, provider names, diagnoses, dates of service and, in some cases, addresses. The intent, officials said, was to make it easier to share accurate information about patients admitted to those involved in each patient's care.

An investigation discovered similar practices in the Department of Urology and Kidney Transplant Services; in all, officials said, the spreadsheets contained HIPAA-protected data concerning 3,044 patients admitted to the hospital between Jan. 1, 2011 and July 3, 2013.

"We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients," said John Rasmussen, chief information security officer at OHSU, in a company notice. "We sincerely apologize for any inconvenience or worry this may cause our patients or their families."

This is the fourth HIPAA violation since 2009 for the Portland, Ore.-based provider. In 2009, an unencrypted laptop containing personal health information of some 1,000 patients was stolen from an employee's car. And in July 2012, an unencrypted thumb drive that an employee had brought home without authorization was stolen. The thumb drive contained personal health information of 14,000 patients, though only 702 patients, were notified of the breach, as officials said the drive contained sensitive data on only those patients.

Events & Conferences

By Eric Wicklund The next player in the smartwatch game may very well be Microsoft. More

By Rafael Grossman Like many healthcare professionals, I have been thinking about Ebola for several weeks. In my... More

By David Lee Scher, MD It has been five years since the passage of the HITECH Act portion of the Affordable Care Act. The... More

White Papers and Webinars