Cloud Computing: Who is Liable for a Data Breach?

Grazed from CFO.  Author: Alissa Ponchione.

Seeing an opportunity to make workflow more efficient, residents and physicians-in-training at Oregon Health & Science University started using cloud-computing service Google Drive to keep everyone up to date on patient information. After a faculty member discovered the staff was using the cloud service, the university launched an investigation, and it found that Drive documents held health data from 3,044 of its patients.

Although Google Drive is password protected and has security measures in place, the university did not have a contract agreement with the cloud provider to use or store OHSU patient health information. By disclosing patient information in the cloud, the university violated the Health Insurance Portability and Accountability Act, which requires doctors to keep patient information private and secure…

While OHSU’s chief information security officer did not believe the incident would result in identity theft or financial harm, Google Drive’s terms of service note that data can be used to promote or improve its services. OHSU could not confirm with Google if the health information had been used for those purposes. If it was, that use would compromise a patient’s right to privacy under HIPAA…

Read more from the source @  http://ww2.cfo.com/technology/2013/10/liable-data-breach/