28 Mar 2013

Burglary of Surgeon May Expose Patient Data from Oregon Health and Science University

Confidential information of some 4,000 patients may be exposed after an Oregon Health and Science University surgeon’s laptop was stolen in a vacation burglary.

Information on surgeries performed from late 2012 through Feb. 20, 2013 could expose personal patient information, such as names, OHSU patient medical record numbers, type of surgery for each patient, surgery dates, times and locations, patient gender, patient age, and name of the surgeon and anesthesiologist.

"OHSU believes cash and physical items were the target of the burglars, not the data within the email program on the computer. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved,” said Ronald Marcum, M.D., M.S., OHSU's chief privacy officer and director of OHSU's Integrity Office. "However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”

Although approximately 5,000 emails were stored on the laptop, only nine patients are believed to have had their Social Security Numbers exposed. Since the stolen laptop was assigned for research, it lacked the encryption that the rest of the computers used to handle sensitive data.

Patients exposed were contacted and notified of the breach a while after the burglary, as it took some time for investigators to go through the 5,000 emails and locate possibly affected individuals.