[ISN] OHSU alerts patients of Google cloud security concerns

http://healthitsecurity.com/2013/07/29/ohsu-alerts-patients-of-google-cloud-security-concerns/ By Patrick Ouellette HealthITSecurity.com July 29, 2013 In a rare data patient privacy issue involving patient data stored in the cloud, Oregon Health and Science University (OHSU) alerted 3,044 patients on July 26 that it had stored their data using a non-business associate (BA) in Internet-based service provider Google. According OHSU, Google Drive and Google Mail have security features in place that include password protection and it doesn’t appear as though any data has been inappropriately accessed. But since Google isn’t a OHSU BA and there’s no contractual agreement in place to use or store OHSU patient health information, the organization isn’t sure that Google has the proper privacy policies in place to handle protected health information (PHI). Google’s terms of service apparently say that the data stored with its infrastructure can be used for the “purpose of operating, promoting, and improving [its] Services, and to develop new ones.” Since OHSU can’t get Google’s word (as of now) that its PHI hasn’t been, and will not be in the future, used to develop Google’s services, it removed all PHI from Google’s services and sent out this letter to all affected patients: […]