So far, healthcare data breaches have primarily involved lost or stolen smartphones, laptops, tablets or thumb drives. A recent transgression at the Oregon Health & Science University, however, has added a new area of concern: Unsecured cloud platforms.
OHSU officials recently notified more than 3,000 patients that their health information had been compromised after residents and physicians-in-training in three departments used Google cloud services to share patient data. Officials said the university doesn't have a contractual agreement to use the cloud-based ISP.
According to officials, the university discovered in May that residents and physicians-in-training in the Division of Plastic and Reconstructive Surgery were using cloud services to maintain a spreadsheet of patients, which included names, ID numbers, ages, provider names, diagnoses, dates of service and, in some cases, addresses. The intent, officials said, was to make it easier to share accurate information about patients admitted to those involved in each patient's care.
An investigation discovered similar practices in the Department of Urology and Kidney Transplant Services; in all, officials said, the spreadsheets contained HIPAA-protected data concerning 3,044 patients admitted to the hospital between Jan. 1, 2011 and July 3, 2013.
"We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients," said John Rasmussen, chief information security officer at OHSU, in a company notice. "We sincerely apologize for any inconvenience or worry this may cause our patients or their families."
This is the fourth HIPAA violation since 2009 for the Portland, Ore.-based provider. In 2009, an unencrypted laptop containing personal health information of some 1,000 patients was stolen from an employee's car. And in July 2012, an unencrypted thumb drive that an employee had brought home without authorization was stolen. The thumb drive contained personal health information of 14,000 patients, though only 702 patients, were notified of the breach, as officials said the drive contained sensitive data on only those patients.