FAQ: Theft of OHSU laptop containing patient data

What exactly was taken?

A laptop computer containing information for 4,022 OHSU patients was recently stolen. The OHSU laptop was taken from an OHSU surgeon’s vacation rental home in Hawaii during a burglary on Feb. 22.

How will I know if my information was stolen?

OHSU is sending letters to all impacted patients. We have also set up a toll-free phone line — 1-877-819-9774 — so patients can learn whether their information was impacted. Almost all of the data was for patients who underwent surgery between late 2012 and February 20, 2013.

How likely is it that these families are at risk for identity theft?

OHSU conducted an extensive review of the data in an effort to determine what was taken. While patient health information was contained on the laptop, an analysis revealed there is little to no risk of identity theft for more than 99 percent of the impacted individuals. Records included Social Security numbers for only nine patients.

Are staff allowed to take OHSU laptops home or on vacation?

Yes. Employees are allowed to take OHSU laptops off campus. Policies are in place to protect patient information. In this case, the laptop was protected by password. However, it was not encrypted.

Why wasn’t the information encrypted?

All OHSU laptops are password protected, including the laptop stolen during this burglary.  However, at the time of this incident, encryption was required only for laptops used for patient care. Because the laptop in question was purchased and used for research purposes, it was not encrypted. Although the physician wrote emails that related to patient care on the laptop, he believed these emails were housed on the OHSU email network – which is secure. However, as is the case with many email programs, recent emails are stored on the computer’s hard drive.  In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements.

If the theft was on February 22, why didn’t you immediately contact families? 

OHSU was unable to immediately contact patients following the theft because there was a significant amount of effort required to determine what was on the stolen computer. OHSU security experts needed to investigate which emails were on the laptop. Then they needed to examine those 5,000 emails individually to identify precisely what data was on the stolen computer and how many people were affected.

Is information security an issue at OHSU?

Patients and physicians have benefitted significantly from recent technology advancements such as electronic records and increased access to email from various locations. However, along with these rapid advancements come new security challenges. Institutions across the country are quickly evolving their security efforts to best protect these records. For example, OHSU recently enacted even more stringent encryption requirements for computers in an effort to prevent further issues.

What format were the files in? 

The vast majority of patient information was contained in surgical schedules for OHSU operating rooms. Those schedules are PDF documents attached to emails. The remaining patient information was in the text of emails.

Why do you believe that the patient data was not the target of the theft?

We believe this for many reasons. The burglar forced entry into the vacation home and stole several other items that could be sold for quick profit. Because the break-in occurred at a vacation home, it is unlikely the burglar was aware the computer belonged to a physician.  In addition, the type of data on the computer would likely be of little to no assistance to a person interested in committing identity theft.

I am still concerned about identity theft. What should I do?

A: Almost all the stolen data is not the kind of information typically sought by those involved in identity theft. However, if you remain concerned, here is what we propose: As a first preventive step, we recommend you closely monitor your financial accounts and, if you see any unauthorized activity, promptly contact your financial institution. We also suggest you submit an identity theft complaint with the Federal Trade Commission by calling 1 877-ID-THEFT (1 877-438-4338) or online at https://www.ftccomplaintassistant.gov/.

As a second step, you also may want to contact any one of the three U.S. credit reporting agencies (Equifax, Experian and TransUnion) to obtain a free credit report from each by calling 1 877-322-8228 or by logging onto www.annualcreditreport.com.

Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission recommends that you check your credit reports periodically.  A victim’s personal information is sometimes held for use or shared among a group of thieves at different times. Checking your credit reports periodically can help you spot problems and address them quickly.

To protect yourself from the possibility of identity theft, Oregon law allows you to place a security freeze on your credit files. By placing a freeze, someone who fraudulently acquires your personal identifying information will not be able to use that information to open new accounts or borrow money in your name.

You will need to contact the three U.S. credit reporting agencies to place the security freeze. Keep in mind that when you place the freeze, you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze. The cost of placing the freeze is no more than $10 for each credit reporting agency, for a total of $30. However, if you are a victim of identity theft and have filed a report with your local law enforcement agency or submitted an identity theft complaint form with the FTC, there may be no charge to place the freeze.

To obtain a security freeze, contact the following agencies:

For more information, see the website for the Oregon Department of Consumer and Business Services at www.dfcs.oregon.gov/id_theft.html and click on “Security Freeze.”

What steps does OHSU proactively take to prevent the release or theft of patient data?

We use a combination of physical means, staff training and strict policies to protect patient data. We protect many OHSU computers through the use of encryption software. OHSU recently broadened these encryption protections. We also use forced password protection on our computers. We train staff how to work appropriately with patient information. We also have ways to monitor staff access to health information to be sure it is used appropriately.

In addition to notifying patients, what else has OHSU done?

OHSU is reporting this release of information to the federal office that tracks and enforces privacy issues. A police report has been filed. We are also offering identity  theft monitoring for the nine OHSU patients whose Social Security numbers were included among the data on the stolen computer.

How old are the patients whose data was stolen?

The patients are in all age categories. In cases where pediatric patients were involved, we are contacting parents or legal guardians.