Establishing Digital Trust: Don't Sacrifice Security for Convenience
Oregon Health & Science University Hospital recently announced that a USB drive containing patient information was stolen from an employee's home on July 4 or 5. The drive contained data on more than 14,000 patients and approximately 200 employees.
"The employee inadvertently took the USB drive home in a briefcase at the end of the workday," writes CMIO's Beth Walsh. "During the home burglary, the briefcase along with several other items was stolen. Prior to the theft, the drive was used to back up data from one OHSU computer system to another and is normally locked in a secure location on campus after use."
"Based on the home burglary investigation, the motive of the thieves appeared to be stealing items, such as jewelry, that could quickly be resold for money," Ron Marcum, M.D., interim chief corporate integrity officer in the OHSU Integrity Office, said in a statement. "It's likely that the USB drive was never the target. In fact, other computer equipment in the home was left untouched. Nevertheless, based on our investigation, we are contacting families because we think it's the right thing to do. We are also reporting the theft to the federal office that manages health information privacy and a police report was filed."
"[The] patient information on the USB drive includes names, dates of birth, phone numbers, addresses, OHSU medical record numbers and descriptions of patients' medical conditions," writes Becker's Hospital Review's Kathleen Roney. "The staff information on the USB includes names, Social Security numbers, addresses and employment-related vaccination information."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"OHSU sent letters to families of 702 pediatric patients and said that 'nearly all' of the data was password protected," writes EHR Intelligence's Patrick Ouellette. "Though OHSU uses encryption software for computers, password protection, secure programs for managing patient information and tracking usage and employee security training, it’s trying to figure out what was taken and the steps needed to access the password-protected data and open the files in a readable format."