OHSU Hard Drive Stolen: PHI of Neonatal Patients Exposed

Oregon Health & Science University (OHSU) has reported the theft of a computer hard drive containing the protected health information of neonatal intensive care unit patients. The hard drive was stolen from the vehicle of a research student on December 6, 2015.

Contact information was not stored on the hard drive, only patients’ names, dates of birth, medical record identification numbers, physicians’ names, medical diagnoses, and clinical data relating to the research study the patients were participating in. The data were being used for a study on the potential effect of aminoglycoside antibiotics on hearing. The patients affected were those who enrolled in the study in 2013.

Since no Social Security numbers, insurance information, or financial data were stored on the laptop, OHSU does not believe there is a risk of financial harm being suffered by either the patients or their families.

OHSU has not announced how many individuals have been affected by the hard drive theft and the incident has yet to be posted on the Office for Civil Rights breach portal.

A substitute breach notification was posted on the OHSU website on February 10, 2016., 66 days after the theft occurred. The HIPAA breach notification rule requires covered entities to issue breach notification letters to patients, issue a media notice, and submit a breach report to OCR within 60 days of the discovery of a data breach. This is a maximum time limit. Notifications should be issued without unnecessary delay.

According to the substitute breach notice, “OHSU takes the privacy of patient information very seriously and has extensive policies and procedures in place to protect patient information.” However, those policies do not appear to include data encryption for PHI, even when it is stored on devices that are taken off site.

This is not the first time that OHSU has suffered a data breach as a result of the theft of an electronic device used to store PHI. In 2013, an unencrypted laptop computer was stolen which contained the PHI of 1,361 individuals, while in 2012, OHSU reported two cases of data theft. Those incidents exposed 550 and 702 patient health records.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.