Cloud storage leads to potential breach for OHSU

Oregon Health & Science University (OHSU) is notifying 3,044 patients that their health information was stored on a password-protected cloud computing system but could have been breached.

Although the internet-based service provider (Google Drive, Google Mail) has security measures and policies in place to protect information, it is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information.

According to a statement from the organization, there is no evidence that the data was accessed or used by anyone who did not have a legitimate patient care need to view the information. However, the terms of service indicate the data stored with the internet-based provider can be used for the “purpose of operating, promoting and improving [its] services, and to develop new ones.” OHSU has been unable to confirm with the internet service provider that OHSU health information has not been, and will not be, used for these purposes. Consequently, OHSU is notifying all affected patients.

In May 2013, an OHSU School of Medicine faculty member discovered that residents, or physicians-in-training, in the division of plastic and reconstructive surgery were using internet-based services to maintain a spreadsheet of patients. Their intent was to provide each other up-to-date information about who was admitted to the hospital under the care of their division.

Upon learning of the incident, OHSU's information privacy and security experts undertook an extensive investigation to determine what information was stored on the internet-based service, who was impacted and the likelihood that disclosure of the information could cause harm to the patients involved, according to the statement. This investigation led to the discovery of a similar practice in the department of urology and in kidney transplant services. After weeks spent reconstructing the data, the privacy and security experts discovered that 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected.

The data stored with the internet service provider included the patients' name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address. For 617 patients, neither the reason for hospital stay, or diagnosis, nor the patient’s prognosis, or projected outcome, was among the stored data. The data did not include Social Security numbers, insurance information, credit card information, bank information, phone number or dates of birth.

All OHSU patient health information found on the internet-based service has been removed, according to the organization, and all residents have been re-educated about the critical importance of using OHSU-approved tools for securely sharing and updating patient information.