Laptop Theft Causes Oregon HIPAA Data Breach

Another Oregon HIPAA data breach has been announced, again the result of the theft of a laptop containing the unencrypted PHI.

In November of this year, a member of staff of the Corvallis Clinic left a laptop computer in a vehicle while attending a conference, only to discover that the device had been stolen from the car on his return.

The Corvallis Clinic is a healthcare system comprising of 8 surgeries and clinics – and one CareNow clinic – in the mid-Willamette region of Oregon. The healthcare provider serves a region with a population of approximately 250,000. The laptop computer contained data relating to patients who had visited one of the centers for treatment during the past two years, although at this stage it is not clear whether the data related to just one of the medical facilities or a number of them. At this stage the number of individuals affected by the breach has yet to be established.

In a breach notification posted on the company website, it is explained that the prescience of PHI on the laptop was a violation of company policy as the computer had not been cleared for use as a device for storing PHI. While the data on the laptop was not encrypted, the statement pointed out that it was protected with a “highly secure alpha-numeric password”, so “a breach of patient health information is unlikely.”

The data that was potentially exposed was limited to the names of patients, their dates of birth, the name of treating the physician and some patient notes on the reason for the visit. It was pointed out that no financial information such as bank account details or credit card numbers were exposed and neither were Social Security numbers.

The Corvallis Clinic takes HIPAA regulations and patient privacy seriously and had implemented a number of measures to safeguard the PHI it stored, in accordance with HIPAA Security Rule and Privacy Rule Guidelines. This incident shows that even when data security measures are adopted it is all too easy for PHI to be exposed.

In response to the Oregon HIPAA data breach, the Corvallis Clinic will be conducting further staff training sessions to ensure that similar incidents do not occur in the future and the Department of Health and Human Services’ Office for Civil Rights will be issued with a notification about the breach once it is established how many individuals have been affected. Breach notification letters will also be sent to the individuals concerned.

This is not the first Oregon HIPAA data breach to have occurred this year; Albertina Kerr Centers reported the theft of a laptop computer containing the unencrypted PHI of 1,320 patients in October and the Portland VA Medical Center declared a 1,740 breach of paper/films and in May. Central City Concern reported the largest Oregon HIPAA data breach when an “unauthorized disclosure” exposed 17,914 records.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of