I've Been Mugged Blog

Healthcare IT News reported that Oregon Health & Sciences University has experienced another data breach exposing patients' sensitive medical information. In this latest data breach:

"... protected health information has been compromised after several residents and physicians-in-training inappropriately used Google cloud services to maintain a spreadsheet of patient data. The Google cloud Internet-based service provider is not an OHSU business associate with a contractual agreement to use or store OHSU patient health information..."

3,044 patients admitted to the hospital between January 1, 2011 and July 3, 2013 were affected by this breach. Breach notification letters were sent to affect patients on July 26, 2013. OHSU stated in its breach notice:

"In May 2013, an OHSU School of Medicine faculty member discovered residents, or physicians-in-training, in the Division of Plastic and Reconstructive Surgery were using Internet-based services to maintain a spreadsheet of patients... OHSU Information Privacy and Security experts undertook an extensive investigation to determine what information was stored on the Internet-based service... This investigation led to the discovery of a similar practice in the Department of Urology and in Kidney Transplant Services... The data stored with the Internet service provider included the patient’s name, medical record number, dates of service, age, provider’s name and diagnosis/prognosis. For 731 patients, the data also included an address. For 617 patients, neither the reason for hospital stay, or diagnosis, nor the patient’s prognosis, or projected outcome, was among the stored data."

Concerned patients can call OHSU via a toll-free phone number (877 819-9774) from Monday through Friday from 6:00 am to 6:00 pm.

Reportedly, this is the fourth data breach at OHSU. According to the HIPAA Privacy Rule, Protected Health Information (PHI) is:

"... individually identifiable health information. Individually identifiable health information is that which can be linked to a particular person..."

PHI includes past or present medical conditions and illnesses, treatments for the person, and payment methods by the person for the healthcare treatments. The companies and organizations that must comply with the HIPAA Privacy Rule:

"... apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form... Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans... Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards... "

The term "business associate" is important because the Privacy Rule applies specifically to vendors or subcontractors used by health plans:

"When a covered entity uses a contractor or other non-workforce member to perform "business associate" services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement... In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule..."

This breach highlights the need for adequate training of employees about cloud services, the data security risks, and what information can/cannot be stored in cloud services. This is also why I am very, very careful and reluctant to share any medical or health information in cloud-based service or in mobile-device apps. Many developers of cloud-based services and mobile-device apps are not HIPAA PHI compliant.