Patient privacy at risk after OHSU doctors put data on Google cloud

PORTLAND, Ore. - Oregon Health & Science University has sent thousands of letters to patients telling them their personal information was compromised after the hospital learned doctors were storing records on a cloud computing server.

Hackers and identity thieves are not the only ones who can access the information, but the thousands of employees who work at Google as well.

For over two years medical residents at OHSU have been storing patient information on Google's cloud computing servers, including patient names, ages, diagnoses and in some cases their addresses.

Per Google's Terms of Service, anything that's put on its cloud it can use and "publish, publicly perform, publicly display and distribute."

And even though there is no sign anyone besides Google got ahold of patient information, it's still something OHSU is concerned about.

"Because we have that concern, we want to be very transparent," said John Rasmussen, OHSU's chief information security officer. "We understand based on the rules that this is a disclosure and we just want to get the word out, make sure that our patients know that this data has been exposed."

OHSU confirms this information was being stored by medical residents but says nobody else knew it was happening until this May.

However safe Google's cloud computing service may be it just doesn't have the securities that are found where OHSU staff is supposed to be storing patient information.

Benjamin Diggles of Portland-based WebTrends, says there's nothing wrong with storing information on the cloud; in fact, he thinks it is more secure than a traditional server. He says the problem in this case is Google.

"Don't blame cloud computing. Look at the different companies that are leveraging cloud computing. You look at Google where they really don't care about privacy as much as some of the other companies," he said.

Still, OHSU admits it's possible someone outside Google got ahold of the information.

"We're always concerned that somebody may have accessed this information without authorization," said Rasmussen.

According to the hospital, it took so long for it to put a stop to the practice because keeping track of everything doctors do with hospital computers would mean sifting through 99.9 percent of appropriate information to find the 0.1 percent that shouldn't be on there.

The hospital declined to discuss what it will do with the doctors who stored the information.

The hospital took down the information and sent out letters notifying patients of the security breach, and it will likely now face an investigation from the federal Office of Civil Rights.