Oregon Health & Science University has signed a resolution agreement with HHS' Office for Civil Rights regarding two data breaches from 2013 affecting more than 7,000 patients total that includes a $2.7 million payment and a three-year corrective action plan.
In the first breach, an unencrypted laptop containing protected health information of 4,022 patients was stolen from a surgeon's vacation home in Hawaii in February 2013. OHSU notified 3,044 patients of the second breach in July 2013, in which residents and physicians-in-training in three departments had been storing patient information in a Google-based cloud system, though the health system did not have a contractual relationship to store patient information there.
OHSU indicates none of the affected patients have reported any harm from the data breaches.
"OHSU is continuously working to improve protection of patient information data in a constantly changing security and technology landscape. The two breaches that occurred in 2013 were stark reminders to OHSU how vigilant we must be. We made significant data security enhancements at the time of the incidents and now are investing at an unprecedented level in proactive measures to further safeguard patient information," said Bridget Barnes, OHSU CIO, in a statement.
The health system plans to work with external consultants to enhance protections and meet the requirements of the corrective action plan.
More articles on HIPAA:
Catholic Health Care Services agrees to $650,000 HIPAA violation settlement
Former ProMedica employee found guilty of HIPAA violation
HHS: Ransomware attacks considered breaches in most cases