OHSU

Theft of OHSU Thumb Drive Containing Patient Data Frequently Asked Questions

OHSU patients and families: OHSU has set up a toll free number to respond to patient questions. Information stored on the stolen computer drive was used to track the care of premature infants. Unless your past interactions with OHSU involved the care of a premature or newborn infant cared for in the neonatal ICU, your information was not on the stolen computer drive. If you still have questions, call this toll free number to speak with a representative: 1-855-650-6955.

What exactly was taken?

The stolen thumb drive contained a limited amount of health information (about eight fields of information) for about 14,000 patients. These fields included:
  • Name
  • Address
  • Date of birth
  • Family medical history
  • Phone number
  • Date of treatment
  • OHSU’s medical record number
  • A one- to four-word description of the patient’s medical condition
The data is not the kind of information typically sought out by those involved in identity theft. The patient database on the drive exists to improve the quality and safety of medical care for premature infants. Therefore, it only includes data on a subset of OHSU patients who were premature infants.
The drive also contained some employment data for about 200 OHSU employees. Nearly all of the data was password protected, and all of it was in a file format not commonly found on home computers.

The stolen drive contained records for more than 14,000 people, yet you are only contacting 702 patients. Why not contact the entire group?

None of the patient data included Social Security numbers or other data typically used for identity theft. Also, nearly all the data was password-protected. However, in 702 cases, records referenced health conditions that are a bit more personal or might be an embarrassment for a patient if disclosed. We are contacting that subgroup – not because they are in any significant heightened risk – because we want them to be aware of the nature of the data as it pertains to them.

If people do not receive a letter, they are welcome to inquire about their data by calling 1 855-650-6955. The database was limited to the care of premature infants, so if you are not an OHSU patient related to the care of a premature infant, your data was not on the USB drive.

Is it common practice for OHSU staff to take patient data home with them?

No. OHSU employees are not allowed to transport information off campus unless it is encrypted and unless the data must be transported for work reasons. In this case, the data was accidentally taken home instead of being secured in a locked location on campus, as is common practice.

How were the files protected?

Almost all the files were password-protected. All the files were in an uncommon file format and cannot be read without this specialized software. We are not disclosing the name of this software to maintain as much security for the data as possible.

How likely is it that these families are at risk for identity theft?

OHSU conducted an extensive review of the data in an effort to determine what is required to access the data and the extent of the data. Even if a person obtained access to the patient data in the files, it is not the kind of information – such as Social security numbers – that a thief typically would seek out for the purpose of identity theft.

Some of the info on the drive about OHSU employees did contain Social Security numbers. OHSU is contacting these employees and offering to pay for ID theft monitoring.

The theft was on July 4 or 5. Why didn’t you immediately contact families?

As soon as we were alerted to the theft, we began an investigation to learn what was taken and, more importantly, how accessible it was. Because almost all the data was password-protected and all of it was in an uncommon format, it took some time to determine the risk. We learned that in most cases, the risk is actually quite low. But we also felt that once we had the important information in hand, we needed to make patients and others aware through letters and a press release.

Because thousands of records can be carried on a thumb drive, aren’t paper records more secure?

There are many advantages to electronic health records. These include:

  • Rapid access in the case of an emergency.
  • The ability for several health providers to provide coordinated care and avoid mistakes.
  • The ability to backup records so that valuable data is not lost due to natural disasters or fire.

However, whether records are paper or electronic, there are always risks, which is why we have several layers of protection in place, including encryption software, passwords, extensive staff training and university policies. However, incidents such as this demonstrate that we can always do more. For instance, an ongoing project at OHSU is to transition to encrypted USB drives and to limit USB drive use. This event has accelerated those efforts.

What format were the files in?

We aren’t naming the software in the interest of maintaining as much security as possible for the data. However, we can say that it is software that you wont find on most home computers.

Why do you believe that the patient data was not the target of the home theft?

We believe this for many reasons. The burglar forced entry into the home and stole jewelry and other items that could be sold for quick profit. The drive was in a briefcase, and it is likely the thieves did not even know they had the drive. In addition, computers in the home were untouched, which is unusual if the thieves were targeting data.

I am still concerned about identity theft. What should I do?

The stolen data is not the kind of information typically sought by those involved in identity theft. However, if you remain concerned, here is what we propose: As a first preventive step, we recommend you closely monitor your financial accounts and, if you see any unauthorized activity, promptly contact your financial institution. We also suggest you submit a complaint with the Federal Trade Commission by calling 1 877-ID-THEFT (1 877-438-4338) or online at https://www.ftccomplaintassistant.gov/.

As a second step, you also may want to contact the three U.S. credit reporting agencies (Equifax, Experian and TransUnion) to obtain a free credit report from each by calling 1 877-322-8228 or by logging onto www.annualcreditreport.com.

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. A victim’s personal information is sometimes held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.

To protect yourself from the possibility of identity theft, Oregon law allows you to place a security freeze on your credit files. By placing a freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name.

You will need to contact the three U.S. credit reporting agencies to place the security freeze. Keep in mind that when you place the freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze. The cost of placing the freeze is no more than $10 for each credit reporting agency, for a total of $30. However, if you are a victim of identity theft and have filed a report with your local law enforcement agency or submitted an ID Complaint Form with the FTC, there may be no charge to place the freeze.

To obtain a security freeze, contact the following agencies:

For more information, see the website for the Oregon Department of Consumer and Business Services and click on “Security Freeze.”

What steps does OHSU proactively take to prevent the release or theft of patient data?

We use a combination of physical means, staff training and strict policies. We protect OHSU computers through the use of encryption software. We also use forced password protection on our computers. We train staff how to work appropriately with patient information. We also have ways to monitor staff access to health information to be sure it is used appropriately.

What is OHSU doing to prevent further incidents?

OHSU continuously improves its records security. We are constantly expanding protections and investigating new and better security methods. In fact, OHSU has an office that focuses specifically on privacy issues. One example of this continuous work is an ongoing project at OHSU to transition to encrypted USB drives and limited USB drive use. This event have accelerated those efforts.

In addition to notifying patients, what else has OHSU done?

OHSU is reporting this release of information to the federal office that tracks and enforces privacy issues. A police report has been filed. We are also offering ID theft monitoring for the 200 OHSU employees with Social Security numbers on the stolen drive.