OHSU patients and families: OHSU has set up a toll-free phone number to respond to patient questions about the laptop theft. Almost all of the patient information on the laptop computer related to patients who were scheduled for surgery at OHSU from late 2012 through Feb. 20, 2013.
Anyone with questions can call toll-free to speak to an OHSU representative. The number is: 877 819-9774.
Oregon Health & Science University is in the midst of contacting approximately 4,000 patients after a laptop containing some of their personal information was stolen. The laptop was taken during a burglary at an OHSU surgeon's vacation rental home while in Hawaii in late February. Information for 4,022 patients was on the computer.
The computer's desktop and documents folder did not contain sensitive data. All of the patient information was located within the email program. Almost all of the patient information was contained within daily surgery schedules that are emailed to surgeons scheduled to operate in OHSU's operating rooms. Those schedules attached to emails were for surgeries that took place in late 2012 through February 20, 2013. Information located in those daily schedules was limited to:
- Patient names
- OHSU patient medical record numbers
- Type of surgery for each patient
- Surgery dates, times and locations (limited to surgeries in late 2012 through Feb. 20, 2013)
- Patient gender
- Patient age
- Name of the surgeon and anesthesiologist
In addition, OHSU security investigators determined that a small number of the approximately 5,000 emails stored on the laptop contained Social Security numbers for a total of nine patients. Those persons are being offered free identity theft monitoring.
All OHSU laptops are password protected, including the laptop stolen during this burglary. However, at the time of this incident, encryption was required only for laptops used for patient care. Because the laptop in question was purchased and used for research purposes, it was not encrypted. Although the physician wrote and received emails that related to patient care on the laptop, he believed these emails were housed on the OHSU email network – which is secure. However, as is the case with many email programs, recent emails are stored on the computer's hard drive. In an effort to prevent similar issues in the future, OHSU recently enacted even more stringent encryption requirements.
"OHSU believes cash and physical items were the target of the burglars, not the data within the email program on the computer. In addition, based on our analysis of the kind of data on the computer, we believe there is little to no ID theft risk for almost all the patients involved,” explained Ronald Marcum, M.D., M.S., OHSU's chief privacy officer and director of OHSU's Integrity Office. "However, in the interest of patient security and transparency and our obligation to report unauthorized access to personal health information to federal agencies, we are contacting all impacted persons.”
OHSU representatives were unable to immediately contact patients following the theft because there was a significant amount of effort required to determine what was on the stolen computer. OHSU security experts needed to investigate which emails were on the laptop. Then they needed to examine those 5,000 emails individually to identify precisely what data was on the stolen computer and how many people were affected.
OHSU sent letters to the affected patients late last week. Patients who were impacted should receive letters in the mail within a week.
**Note: The total number of patients whose Social Security numbers were stored on the laptop has been corrected.