Breach, Cloud Security, Data Security

Patients notified after resident doctors store their data on Google

Portland-based Oregon Health & Science University (OSHU) notified more than 3,000 patients that their information had been stored in an unauthorized cloud service.

How many victims? 3,044 patients admitted between January 2011 and July 2013.

What type of personal information? Names, medical record numbers, dates of service, ages, provider's names and diagnoses/prognoses. An address was included for 731 patients.

What happened? Resident physicians in the division of plastic and reconstructive surgery were using Google Drive and Mail to maintain a spreadsheet of patients. Google is not approved to store OSHU patient data.

What was the response? OSHU security experts began an investigation to determine what information was stored on the cloud service, which patients were impacted and whether disclosure of the information could cause harm to patients. Affected patients and law enforcement were notified, all information found on the cloud service was removed and residents were re-educated on privacy protocols.  

Quote: “We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients," said OHSU Chief Information Security Officer John Rasmussen. "We sincerely apologize for any inconvenience or worry this may cause our patients or their families."

Source: ohsu.edu, “OHSU notifies patients of ‘cloud' health information storage,” July 28, 2013.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.