OHSU contacts patients about data stolen during burglary
07/31/12 Portland, Ore.
OHSU patients and families: OHSU has set up a toll free number to respond to patient questions. Information stored on the stolen computer drive was used to track the care of premature infants. Unless your past interactions with OHSU involved the care of a premature or newborn infant cared for in the neonatal ICU, your information was not on the stolen computer drive. If you still have questions, call this toll free number to speak with a representative: 1-855-650-6955.
Oregon Health & Science University Hospital officials are sending letters to the families of 702 pediatric patients after a USB drive containing some of their patient information was stolen. In total, data for more than 14,000 patients was stored on the drive, along with information for about 200 OHSU employees.
The incident does not impact all OHSU patients, but affects a limited number of premature pediatric patients who were screened for vision issues. In the vast majority of cases, the data is very limited in scope. None of the patient data is the kind of information typically used for identity theft. Nearly all the patient data was password-protected, and all of the data can only be opened by software not commonly found on personal computers. Nevertheless, OHSU is contacting patients to make them aware of the situation.
The thumb drive carrying the data was stolen during the burglary of an OHSU employee's home July 4 or 5. The employee inadvertently took the USB drive home in a briefcase at the end of the workday. During the home burglary, the briefcase along with several other items was stolen.
Prior to the theft, the drive was used to back up data from one OHSU computer system to another and is normally locked in a secure location on campus after use. Since the theft occurred, OHSU has conducted an extensive investigation into exactly what was taken and the steps needed to access the password-protected data and open the files in a readable format.
Following is a list of the data contained on the stolen drive:
- Pediatric patient information (name, date of birth, phone number, address, OHSU medical record number, and a one- to four-word description of the patient's medical condition, or family medical history in some cases) for approximately 14,300 patients. The data is gathered to track the results of vision screenings for newborns born prematurely. Nearly all of this data is password-protected, and all of it is in an uncommon file format. A subset of the data for these patients was slightly more sensitive because it contains data that is considered more personal. These patients (702 in total) are receiving letters from OHSU this week.
- A database of OHSU staff information, including names, Social Security numbers, addresses, employment-related vaccination information for 195 OHSU employees.
"Based on the home burglary investigation, the motive of the thieves appeared to be stealing items, such as jewelry, that could quickly be resold for money," explained Ron Marcum, M.D., interim chief corporate integrity officer in the OHSU Integrity Office.
"It's likely that the USB drive was never the target. In fact, other computer equipment in the home was left untouched. Nevertheless, based on our investigation, we are contacting families because we think it's the right thing to do. We are also reporting the theft to the federal office that manages health information privacy and a police report was filed."
OHSU has several measures in place to protect patient information, including encryption software for computers, password protections and secure programs for managing patient information and tracking usage. The university also provides extensive training to all employees who have access to patient data. In addition, the university has enacted several layers of policy to help protect this information.
In regard to this case, while the stolen USB drive was never intended to leave campus, OHSU has been working to develop methods for ensuring USB drives are encrypted. OHSU plans to step up these efforts in light of this incident.
Oregon Health & Science University is the state's only health and research university and its only academic health center. As Portland's largest employer, OHSU's size contributes to its ability to provide many services and community support activities not found anywhere else in the state. OHSU serves patients from every corner of the state and is a conduit for learning for more than 4,300 students and trainees. OHSU is the source of more than 200 community outreach programs that bring health and education services to each county in the state.