OHSU alerts patients of Google cloud security concerns

[InfoSec News <alerts () infosecnews org>]

http://healthitsecurity.com/2013/07/29/ohsu-alerts-patients-of-google-cloud-security-concerns/

By Patrick Ouellette
HealthITSecurity.com
July 29, 2013

In a rare data patient privacy issue involving patient data stored in the 
cloud, Oregon Health and Science University (OHSU) alerted 3,044 patients 
on July 26 that it had stored their data using a non-business associate 
(BA) in Internet-based service provider Google.

According OHSU, Google Drive and Google Mail have security features in 
place that include password protection and it doesn't appear as though any 
data has been inappropriately accessed. But since Google isn't a OHSU BA 
and there’s no contractual agreement in place to use or store OHSU patient 
health information, the organization isn't sure that Google has the proper 
privacy policies in place to handle protected health information (PHI). 
Google's terms of service apparently say that the data stored with its 
infrastructure can be used for the "purpose of operating, promoting, and 
improving [its] Services, and to develop new ones."

Since OHSU can't get Google's word (as of now) that its PHI hasn't been, 
and will not be in the future, used to develop Google's services, it 
removed all PHI from Google's services and sent out this letter to all 
affected patients:

[...]

--
Find the best InfoSec talent without breaking your budget!
Post a Job! $99 for 31 days
http://www.hotinfosecjobs.com/