Oregon Health & Science University stolen in Chicago
Technorati Tag: Security Breach
Date Reported:
12/12/08
Organization:
Oregon Health & Science University ("OHSU")
Contractor/Consultant/Branch:
None
Location:
Chicago, Illinois
Victims:
Patients
Number Affected:
890
Types of Data:
"medical record numbers, names, telephone numbers, dates of birth, gender, medical diagnosis category and category of treatment"
Breach Description:
"PORTLAND, Ore. (AP) — Oregon Health & Science University is notifying 890 patients that a laptop stolen in Chicago this week may contain their health records."
Reference URL:
Associated Press via The Oregonian
The Oregonian
United Press International
Report Credit:
The Associated Press
Response:
From the online sources cited above:
Oregon Health & Science University has sent letters to 890 patients informing them that a stolen laptop may have contained their health records.
[Evan] Ugh, words like "may" bug me a little. I'm critical of OHSU for not encrypting this laptop, but I applaud OHSU for notifying.
The laptop was stolen last week from an OHSU employee in a Chicago hotel, while he was traveling on business.
The hospital says police believe the thief didn't know what the computer held.
[Evan] Duh. Not yet anyway.
In an effort to reassure patients, OHSU said the laptop was password-protected and called the risk of identity theft low.
[Evan] Anyone buying into password-protection?
The data did not include Social Security numbers, addresses or specific treatments, OHSU said.
While the personal information in the database on the computer did not include enough detail to require notification under Oregon law, OHSU said it chose to alert the 890 patients
the data could include medical record numbers, names, telephone numbers, dates of birth, gender, medical diagnosis category and category of treatment
[Evan] These aren't the most sensitive pieces of information, but they aren't public either. How many data classification categories do you use in your data classification scheme? Do you have a data classification scheme?
OHSU also flagged all of the affected patient records in its system to make sure requests for those data automatically receive higher scrutiny.
Commentary:
Depending on your risk appetite, I would suggest that people encrypt their laptops if there is even a slight chance that they may contain sensitive information. But that's me.
Past Breaches:
Unknown
Date Reported: 12/12/08
Organization:
Oregon Health & Science University ("OHSU")
Contractor/Consultant/Branch:
None
Location:
Chicago, Illinois
Victims:
Patients
Number Affected:
890
Types of Data:
"medical record numbers, names, telephone numbers, dates of birth, gender, medical diagnosis category and category of treatment"
Breach Description:
"PORTLAND, Ore. (AP) — Oregon Health & Science University is notifying 890 patients that a laptop stolen in Chicago this week may contain their health records."
Reference URL:
Associated Press via The Oregonian
The Oregonian
United Press International
Report Credit:
The Associated Press
Response:
From the online sources cited above:
Oregon Health & Science University has sent letters to 890 patients informing them that a stolen laptop may have contained their health records.
[Evan] Ugh, words like "may" bug me a little. I'm critical of OHSU for not encrypting this laptop, but I applaud OHSU for notifying.
The laptop was stolen last week from an OHSU employee in a Chicago hotel, while he was traveling on business.
The hospital says police believe the thief didn't know what the computer held.
[Evan] Duh. Not yet anyway.
In an effort to reassure patients, OHSU said the laptop was password-protected and called the risk of identity theft low.
[Evan] Anyone buying into password-protection?
The data did not include Social Security numbers, addresses or specific treatments, OHSU said.
While the personal information in the database on the computer did not include enough detail to require notification under Oregon law, OHSU said it chose to alert the 890 patients
the data could include medical record numbers, names, telephone numbers, dates of birth, gender, medical diagnosis category and category of treatment
[Evan] These aren't the most sensitive pieces of information, but they aren't public either. How many data classification categories do you use in your data classification scheme? Do you have a data classification scheme?
OHSU also flagged all of the affected patient records in its system to make sure requests for those data automatically receive higher scrutiny.
Commentary:
Depending on your risk appetite, I would suggest that people encrypt their laptops if there is even a slight chance that they may contain sensitive information. But that's me.
Past Breaches:
Unknown
12-17-08
Having read this blog regularly for @ 1 year, I have noticed that the theft of laptop computers is such a common event that obviously any prudent business or charitable organization should encrypt all computers and should allow the minim amount of private information possible to be stored on laptops (and flash drives, etc.) as possible. This seems to a result of just general ignorance of the risks associated with id theft, and extremely poor risk management practices. What organizations (besides the FTC and governmental agencies)for educating the public and its members about information security risks and practices that a manager or business person could join to stay abreast of developments in this field that are directed to the non IT expert, but directed to your everyday businessman to help improve his business practices, and educate the public, etc. for halfway reasonable membership fees?
Reply to this
Why would any of that data be stored directly on some guy's laptop anyway? Isn't the whole point of having servers and data centers that are secure to minimize incidents of exactly this type of information theft? He may have been authorized to be carrying around all that private data, in which case, that's where the bigger security problem lies. Sounds like it's time for OHSU to review data storage protocols.
http://www.atsu.edu/ashs/online_programs/index.htm
Reply to this