Hawaii is usually associated with paradise. Not the case, however, for a surgeon from Oregon Health and Science Center University (OHSU). The surgeon was enjoying the sun and beauty of Hawaii while a thief was busy stealing the surgeon's laptop from a vacation rental home. The laptop computer contained Personal Information and Protected Health Information of over 4,000 patients. Although OHSU policies require encryption for laptops used for patient care, the surgeon who had the computer was using the laptop for research purposes, so it was not encrypted.
The surgeon who used the computer received e-mails relative to patient care, but believed they would be housed on OHSU’s secure e-mail network. Information compromised included patient names; patient medical record numbers; type of surgery; surgery dates, times and locations; patient gender and age; and names of the surgeon and anesthesiologist. In addition, social security numbers of seventeen of the patients were on the laptop.
Does your organization have policies in place for employees who travel with Personal Information while working or on vacation? Does your Incident Response Plan account for a privacy incident that occurs while an employee (or Incident Response Team member) is on vacation or across the ocean?