Healthcare IT News’ Erin McCann recently reported that Oregon Health & Science University had to again notify patients that their protected health information had been compromised. From Erin’s post
The Oregon Health & Science University has notified 3,044 patients that their protected health information has been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data.
The Google cloud Internet-based service provider is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information, according to officials.
This is OHSU’s fourth big HIPAA breach since 2009 and third big breach just in the past two years, according to data from the Department of Health and Human Services.
The data for the majority of the patients compromised included patient names, medical record numbers, ages, provider names, diagnoses and dates of service. For 731 of those patients, the data also included addresses.
[See also: Third big HIPAA breach for OHSU.]
This past May, an OHSU official discovered residents and physicians-in-training within the Division of Plastic and Reconstructive Surgery were using cloud services to maintain a spreadsheet of patients. Their intent, according to an OHSU notice, was to provide each other accurate information about who was admitted to the hospital under the care of their division.
Upon learning of the incident, OHSU information privacy and security officials launched an investigation to the information stored, who was impacted and the likelihood that disclosure of the information could cause harm to the patients involved. This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services. After weeks spent reconstructing the data, officials discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected.
