The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OHSU Hard Drive Stolen: PHI of Neonatal Patients Exposed

Posted By on Feb 13, 2016

Oregon Health & Science University (OHSU) has reported the theft of a computer hard drive containing the protected health information of neonatal intensive care unit patients. The hard drive was stolen from the vehicle of a research student on December 6, 2015.

Contact information was not stored on the hard drive, only patients’ names, dates of birth, medical record identification numbers, physicians’ names, medical diagnoses, and clinical data relating to the research study the patients were participating in. The data were being used for a study on the potential effect of aminoglycoside antibiotics on hearing. The patients affected were those who enrolled in the study in 2013.

Since no Social Security numbers, insurance information, or financial data were stored on the laptop, OHSU does not believe there is a risk of financial harm being suffered by either the patients or their families.

OHSU has not announced how many individuals have been affected by the hard drive theft and the incident has yet to be posted on the Office for Civil Rights breach portal.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

A substitute breach notification was posted on the OHSU website on February 10, 2016., 66 days after the theft occurred. The HIPAA breach notification rule requires covered entities to issue breach notification letters to patients, issue a media notice, and submit a breach report to OCR within 60 days of the discovery of a data breach. This is a maximum time limit. Notifications should be issued without unnecessary delay.

According to the substitute breach notice, “OHSU takes the privacy of patient information very seriously and has extensive policies and procedures in place to protect patient information.” However, those policies do not appear to include data encryption for PHI, even when it is stored on devices that are taken off site.

This is not the first time that OHSU has suffered a data breach as a result of the theft of an electronic device used to store PHI. In 2013, an unencrypted laptop computer was stolen which contained the PHI of 1,361 individuals, while in 2012, OHSU reported two cases of data theft. Those incidents exposed 550 and 702 patient health records.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist