A USB drive with data on thousands of patients of Oregon Health & Science University (OHSU) in Portland was stolen from the home of an employee on July 4 or 5.
How many victims? 14,300, including 702 pediatric patients and around 200 employees of the facility.
What type of personal information? Names, dates of birth, phone numbers, addresses, medical record numbers and descriptions of patients' medical conditions. The information of staff on the device included names, Social Security numbers, addresses and employment-related vaccination records.
What happened? An employee accidentally took home the thumb drive in his briefcase, which was subsequently stolen, along with other items, during a home invasion.
What was the response? OHSU released an announcement stating that letters went out to "a limited number of premature pediatric patients who were screened for vision issues." It said the device was password-protected, but did not say if it was encrypted. However, the facility stated it is developing further methods to ensure USB drives are encrypted. A toll-free number to respond to patient questions has been set up.
Quote: "It's likely that the USB drive was never the target," said Ron Marcum, OHSU's interim chief corporate integrity officer..
Source: Becker's Hospital Review, "Data Breach Affects More Than 14k Oregon Health & Science University Patients," Aug. 1, 2012