Portland-based Oregon Health & Science University (OSHU) notified more than 3,000 patients that their information had been stored in an unauthorized cloud service.
How many victims? 3,044 patients admitted between January 2011 and July 2013.
What type of personal information? Names, medical record numbers, dates of service, ages, provider's names and diagnoses/prognoses. An address was included for 731 patients.
What happened? Resident physicians in the division of plastic and reconstructive surgery were using Google Drive and Mail to maintain a spreadsheet of patients. Google is not approved to store OSHU patient data.
What was the response? OSHU security experts began an investigation to determine what information was stored on the cloud service, which patients were impacted and whether disclosure of the information could cause harm to patients. Affected patients and law enforcement were notified, all information found on the cloud service was removed and residents were re-educated on privacy protocols.
Quote: “We do not believe this incident will result in identity theft or financial harm; however, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all affected patients," said OHSU Chief Information Security Officer John Rasmussen. "We sincerely apologize for any inconvenience or worry this may cause our patients or their families."
Source: ohsu.edu, “OHSU notifies patients of ‘cloud' health information storage,” July 28, 2013.