Late last week, Oregon Health & Science University (OHSU) began mailing letters to 4,022 patients informing them that an unencrypted laptop containing their personal data was stolen from an OHSU physician's vacation rental in Hawaii in late February (h/t PHIprivacy.net).
While there was no patient information stored on the desktop or documents folder of the laptop, patient data could be found in daily surgery schedules saved in the e-mail application. Those schedules contained information on surgeries that took place from late 2012 through February 20, 2013, and included patient names, OSHU medical record numbers, types of surgery, surgery dates, surgery times, surgery locations, patient genders, patient ages, and names of surgeons and anaesthesiologists. For nine patients, Social Security numbers were also exposed -- OHSU is offering those patients free identity theft monitoring.
The physician apparently assumed that because the e-mails in question were sent via OHSU's e-mail network, they weren't also stored on the laptop. "However, as is the case with many email programs, recent emails are stored on the computer's hard drive," the university said in a statement. "In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements."
"OHSU believes cash and physical items were the target of the burglars, not the data within the email program on the computer," Ronald Marcum, M.D., M.S., OHSU's chief privacy officer and director of OHSU's Integrity Office, said in a statement. "In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved. However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”