The Oregon Health & Science University is notifying more than 3,000 of its patients of a breach
of their personally identifiable information after their data were placed by OHSU resident physicians on a pair of Google's cloud-based information-sharing services.
The data—including the patients' names, medical record numbers, dates of service, ages, diagnoses and prognoses and their providers' names—that were posted to either Google's Gmail or Drive were first discovered by a faculty member this past May, according to an OHSU news release
Gmail is the Mountain View, Calif.-based search engine company's popular e-mail service. Google Drive is an online storage service touted by the company as “One safe place for all your stuff” that includes an online platform to create, store and share documents, spreadsheets and slide presentations.
According to the university's statement, the intent of the resident physicians at the division of plastic and reconstructive surgery who used the services was “to maintain a spreadsheet of patients” to “provide each other up-to-date information about who was admitted to the hospital under the care of their division.”
An investigation of that incident led to the finding of “similar practices” in two other departments, urology and kidney transplant services, OHSU said. “After weeks spent reconstructing the data, the privacy and security experts discovered 3,044 patients admitted to the hospital between Jan. 1, 2011, and July 3, 2013, were affected,” the announcement said.
Under the terms of service, “data stored with the Internet-based provider can be used for the purpose of operating, promoting and improving (its) services, and to develop new ones,” OHSU said.
“There is no evidence that the data were accessed or used by anyone who did not have a legitimate patient-care need to view the information,” the university said. However, “OHSU has been unable to confirm with the Internet service provider that OHSU health information has not been, and will not be, used for these purposes. Consequently, OHSU is notifying all affected patients,” the university statement said.
Google spokesmen did not respond to requests for information about the incidents by deadline.
The university has had three previous breaches reported publicly on a list maintained by the Office for Civil Rights at HHS. Combined, those earlier incidents involve the records of a more than 16,000 individuals, according to the OCR's website
and the university's own published statements. Two involved thefts of laptop computers, the other, theft of a USB drive.Follow Joseph Conn on Twitter: @MHJConn