Skip to main content
Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026|Meet Us at GHPCO 2026 - Global Healthcare InnovationMarch 15-18, 2026
Best Practices

OHSU Data Breach: Where Health IT is lacking

In an interesting piece posted over the weekend at The Health Care Blog, Dr. David Do described a recent reported data breach by the Oregon Health & Science University. The event, which was reported to patients at the end of July, was triggered when OHSU administrators discovered that medical residents were storing patient records in Google Drive, a free, cloud-based document storage platform.

3 min read
ohsu data breach lacking healthcare it|medical data breach and security

In an interesting piece posted over the weekend at The Health Care Blog, Dr. David Do described a recent reported data breach by the Oregon Health & Science University. The event, which was reported to patients at the end of July, was triggered when OHSU administrators discovered that medical residents were storing patient records in Google Drive, a free, cloud-based document storage platform. While the 3,000 or so patient records discovered to be stored in the cloud were not actually “breached,” regulatory requirements under the HIPAA/HITECH Breach Notification Rule required administrators to notify all of the patients affected.

Healthcare Incidents to be Aware of

As Dr. Do notes, the incident underscores one of the greater issues present in the practical application of healthcare IT: despite the impressive mix of EMRs and other health-related IT tools on the market today, the very basic needs of healthcare providers still remain unfulfilled. One such practical need is the ability for healthcare providers to safely collaborate with one another electronically. As EMR systems continue to neglect the need for this collaboration among healthcare provider teams, the very same providers will look to alternative methods to satisfy the needs of their patients. And as a compliance officer or a CIO, by the time you find out that your employees are using unapproved mass market solutions, it’s usually too late.

Current Cloud Storage is not Secure Enough for Healthcare

medical data breach and security

Free cloud-based storage tools such as Google Drive or Dropbox are remarkably usable and convenient. I happen to use both on a regular basis to share documents across devices and with different people. However, despite the practical uses of these products, they were not designed to share highly sensitive data such as PHI. Moreover, when a patient record gets uploaded to the server of a third-party provider, the data has gone off hospital premises and into the custody of a de facto business associate with no BAA in place. Show me someone who has gotten Google to enter into a BAA, and I’ll show you a liar.

Get Secure with your Data Today

Here’s the bottom line: the providers at your facility have a deep thirst to use electronic tools to share patient data in a laudable effort to improve care for their patients. Given the inadequacy of existing EMR systems to provide this ability, your providers are going to find one way or another to assist with this workflow. As someone in charge of your information systems or compliance program, it’s much better to vet out the possible tools for them to use on the front end than deal with the potential data breach on the back end.

Frequently Asked Questions

Find answers to common questions about this topic.

A Business Associate Agreement (BAA) is a HIPAA-required contract between healthcare organizations and third-party vendors who handle protected health information (PHI). Consumer cloud services like Google Drive and Dropbox don't offer BAAs, making them non-compliant for storing patient records.

Healthcare organizations should use cloud storage solutions specifically designed for medical data that offer BAAs, encryption, and HIPAA compliance features. Examples include specialized healthcare cloud platforms that meet regulatory requirements for PHI storage and sharing.

IT departments should proactively provide approved, secure collaboration tools that meet clinical workflow needs and implement policies restricting unauthorized cloud services. Regular staff training on HIPAA compliance and monitoring network traffic can help identify unauthorized usage before breaches occur.

Under the HIPAA/HITECH Breach Notification Rule, any unauthorized disclosure or potential exposure of PHI requires patient notification, even if there's no evidence the data was actually accessed. The risk of unauthorized access is sufficient to trigger notification requirements.

Healthcare providers use consumer cloud services because current EMR systems often lack adequate collaboration features needed for patient care coordination. The convenience and functionality of tools like Google Drive fill workflow gaps that existing healthcare IT systems don't address.

Krishna Kurapati

Written by

Krishna Kurapati

Founder & CEO

Founder & CEO of QliqSOFT with 20+ years of healthcare technology experience.

View all posts

Related Articles

photocopier data breach case|HIPAA data breaches in the healthcare field
Best Practices

OCR, Affinity Health Plan Reach Settlement on Photocopier Breach Case

In a week including several high profile HIPAA breach incidents and settlements, the Department of Health and Human Services announced the biggest one of all: a settlement agreement with Affinity Health Plan stemming from an incident in 2010 when it was discovered that an improperly wiped photocopier compromised the PHI of over 300,000 patients. Affinity and HHS agreed to settle the case for $1,215,780.

Krishna KurapatiKrishna Kurapati
2 min read
decorative image of graph - advocate healthcare data breach
Best Practices

Advocate Data Breach: The $1 Billion Lawsuit?

Advocate Health Care, a large Chicago-based health system, reported a data breach at one of its subsidiaries in which the theft of four laptops led to over four million compromised patient records. This event marks the second largest healthcare data breach in history, and, to put this into perspective, alone accounted for over 17% of the total number of patient records breached as reported to HHS since it started keeping track in 2009.

Krishna KurapatiKrishna Kurapati
5 min read
3m left