OHSU warns: Stolen laptop had patient information
Oregon Health & Science University is contacting more than 4,000 patients whose medical information was on a doctors laptop computer stolen in late February from a rented vacation home in Hawaii.
OHSU officials said the laptop taken during a burglary included information in an email program on 4,022 patients. Almost all of the patient information was contained within daily surgery schedules that are emailed to surgeons. The schedules on the laptop were for surgeries that took place in late 2012 through Feb. 20, 2013.
The information included patient names, OHSU patient medical record numbers, Type of surgery for each patient, surgery dates and locations and the name of the surgeon and anesthesiologist.
In addition, OHSU security investigators determined that a small number of the nearly 5,000 emails stored on the laptop contained Social Security numbers for nine patients. Those persons are being offered free identity theft monitoring.
OHSU sent letters to the affected patients late last week. Patients who were impacted should receive letters in the mail within a week.
All OHSU laptops are password protected, including the laptop stolen during the burglary. However, at the time of this incident, encryption was required only for laptops used for patient care. Because the laptop was purchased and used for research purposes, it was not encrypted.
In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements.
OHSU believes cash and physical items were the target of the burglars, not the data within the email program on the computer, said Dr. Ronald Marcum, OHSUs chief privacy officer and director of OHSUs Integrity Office. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved. However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.
OHSU representatives were unable to immediately contact patients following the theft because there was a significant amount of effort required to determine what was on the stolen computer. OHSU security experts needed to investigate which emails were on the laptop. They also needed to examine the 5,000 emails to identify precisely what data was on the stolen computer and how many people were affected.