Recently officials at Oregon Health Sciences University discovered that residents in several departments were storing patient information on Google Drive, and had been doing so for the past two years. They treated this discovery as a breach of privacy and notified 3000 patients about the incident.

While I don’t condone the storage of patient information on unapproved services like Gmail or Google Drive, this incident pretty much highlights the sorry state of information systems within the hospital and the unfulfilled need by physicians for tools that facilitate workflow and patient care.

It says something that the Oregon residents felt compelled to take such a drastic action. I don’t know what punishment – if any – those responsible were given by administrators for their “crimes.” I’ll leave it to readers to make up their own minds about the wisdom of the unauthorized workaround and the appropriateness of any punishment. But I do know that the message the incident sends is a very clear one.

We’re screwing this up. There is really no earthly reason why it should be any more difficult to share a patient record than it is to share a Word doc, a Powerpoint or yes, even a cloud-based Google Drive spreadsheet.

Why the Breach Happened

What’s going on here? Let’s say I admit a patient to the hospital.  Our friend was hospitalized here just last month, and like many patients, he has dementia or is poorly educated, and does not know the names of the medications he takes. Unfortunately, I don’t have the ability to see what he takes or how he was treated during the prior admission because the records in the computer are there for documentation’s sake and don’t contain any meaningful information. This is clearly a problem for me.

Therefore I will spend time calling outside facilities to gather information and repeat several tests and imaging procedures.

Medical care has become a team sport, and residents have developed systems for keeping track of their patients and communicating to other physicians. It takes some time to think about and process each patient that comes in, to consolidate all the information. Ultimately, I need to boil that information down to a five-minute description on the patient, their problems, the status of their current admission, and what needs to happen before they go home.  We do this in the form of a signout document.

Figure: The signout document has four to five columns and includes the To Do list for each patient.

The EMR does not have a good way to store information in this format, and  additionally I have no way of editing this in real-time to communicate with my
coworkers what still needs to be done. That’s why residents were storing their  signouts in Google Drive.

What providers need here is simple data management. We need to store and access this list from different computers. We need the ability to enter a subset of those data  using a custom form, and the ability to print subsets of those data to create a To Do lists, rounding sheets, or progress notes.

What we can learn from this breach

In the end, there was no actual breach of data. Don’t blame the residents for what  happened in Oregon. They have, better than anyone, demonstrated an unfulfilled
need for good medical software that is user-tested.  Products that develop through hospital IT departments are slow, non-intuitive, and buggy. Hospitals need to invest
in health IT, above and beyond that need to meet the requirements of Health IT  legislation. We need designers, software product mangers, and user testers from

David Do, MD is a graduate of The Johns Hopkins University School of Medicine and a resident physician at the Hospital of the University of Pennsylvania. He is an agile software developer and Chief Technology Officer at

25 Responses for “What the Recent Data Breach Says About the State of Health IT”

  1. john irvine says:

    they should get a medal

    • David Do, MD says:


      It’s easy to place blame after an incident like this, but these types of “breaches” are happening everywhere, whether its in the form of cloud storage, carrying health information on thumb drives, or using unapproved email accounts.

      There are surprisingly few “secure” ways of storing and sending health info in the hospital.

  2. Whatsen Williams says:

    It is much worse than that. Glad someone is waking up to the toxicity that these multi million dollar systems are having on medical care, patients, and their doctors. All happening without FDA oversight. All happening devoid of any oversight. A sham on America, courtesy of the Congress of the United States, that was deceived by the HIT industry and its greenbacks.

    • David Do, MD says:

      Dr. Williams, the IT solutions we choose certainly have an effect on patient care that is hard to fully characterize. I don’t know if more oversight is the answer–in fact, I would caution that regulation and incentives are to blame for much of the problem. We do, however, need systems that are usable so physicians can focus on patient care.

  3. Curly Harrison, MD says:

    @whatsen sure got that one spot on.

    Handoffs are dangerous. EHR devices exacerbate the handoff problems. Can any one trust the care that is run by these flawed, inferior, and insufficient EHR systems? They are simply not fit for purpose. Exemplars are here:

  4. Whatsen Williams says:

    ******I don’t know if more oversight is the answer–in fact, I would caution that regulation and incentives are to blame for much of the problem.******

    There is zero regulation for safety, efficacy, and usability of these EHR and CPOE devices. ZERO! It can not be the blame if there ain’t none.

    There was not any FDA regulation of the compounding pharmacy that sold contaminated (w fungus), There is not any FDA regulation of EHR, CPOE, or CDS devices and they are disruptive to care and workflows.

    On the other hand, there are innumerable poorly conceived incentives, each with unintended consequences, and they can be blamed as an amplifier of the toxicities already in the systems.

  5. Whatsen Williams says:

    The FDA is fully capable of vetting these software driven workflow controlling devices in the premarket and after market. Right now, there is zero oversight.
    For instance, @curly sent in references to defects in the ordering devices of an EHR vendor. What organization is responsible to assuring that the device is actually fixed?

    • David Do, MD says:

      I would argue that more oversight for software would require more fixed versioning. That makes it less agile and ultimately less usable. Furthermore, would I go through FDA approval to build software internally too? I don’t want the FDA anywhere near my software.

  6. Whatsen Williams says:

    And by the way, IT is not a solution to anything unless said solution is validated as being a solution. Most IT in medicine right now is a solution to the bottom lines of most hospitals ( although some have had their Fitch bond ratings reduced).

    • David Do, MD says:

      Agreed that validation is necessary. Instead of RCTs, validation needs to be in the form of user satisfaction, less time on the computer, and more time for patient care.

  7. There were several other “genuine” breaches at OHSU in the past year (not that they’re special; this is commonplace):
    Unauthorized use of cloud computing storage services in two departments of Oregon Health & Science University has resulted in the organization notifying more than 3,000 patients that protected health information may have been compromised. The incident is the third major breach for OHSU in the past year. The previous breaches on the HHS Office for Civil Rights’ public Web site included an unspecified theft on July 4, 2012, affecting 702 patients, and the theft of a laptop on Feb. 22, 2013, affecting 1,114

    As Bill Hersh might say, though, as he has to me about EHR-related patient mishaps, “it’s anecdotal.”

    • David Do, MD says:

      Thanks for the details. Is OHSU a dangerous place for private patient data or are they reporting more than everyone else?

  8. legacyflyer says:

    This “breach” tells a very clear and powerful message.

    1) Doctors (in this case residents) are NOT opposed to electronic medical records. They are opposed to BAD electronic medical records.

    2) If the “approved”, “meaningfully used” electronic medical record was useful, the residents wouldn’t have taken the time and trouble to write their own.

    3) If residents (in their abundant (?) spare time) can come up with something that is more useful than the system designed by professional software developers receiving subsidies from the Feds, there is something seriously wrong with the path we are on.

    The Emperor (EMR) has no clothes!

    • David Do, MD says:

      Yes, this is a very accurate assessment. Although #3 is not shocking to me because users should always know whats more useful–its just that developers and buyers of software need to include the users in decisions, and extensive user testing before deployment is critical.

      • TexDoc says:

        With all due respect, there is nothing about ANY of the various and sundry codewastes labeled “EHR”s that stand any scrutiny as to efficacy or efficiency in regards to actually assisting in the flow of patient care or it’s documentation.
        And that is in fact due to the very specific exclusion of active physicians from their design.
        The same tired panel of executive physicians pop up to “provide the doc’s views” on every topic – reads like the AMA roster – but no one really uses this crap who is in fact accountable.
        Remove the Hold Harmless clauses and this idiocy will halt.

  9. Whatsen Williams says:

    As currently configured, the systems on which $ billions of the taxpayers is being spent, are impediments to workflows and care, which is why workarounds are commonplace, especially at Oregon U. What I like is how the government wants meaningfully unusable devices to be used in a meaningfully useful way. Hello?

  10. Chris Porter says:

    Four years go, my hospital discovered residents using Googledocs for the same purpose. A huge memo, finger-wagging, and explicit prohibition of Googledocs followed. The residents were then compelled to share spreadsheets of patients lists by email. Give them a better solution, not a lecture.

    • David Do, MD says:

      Thanks for sharing, Chris. Unfortunately, when it comes to IT, hospitals are focused on security rather than what technology can do for patient care.

  11. Abdul Saadi says:

    Very telling we have faced this time and time again. We as physicians have to adapt the ways we round and see patients around the way the EMR (software) was built a decade ago instead of these programs being programmed to help you out as a provider they are an impediment to workflow.

    • David Do, MD says:

      Absolutely, I say let’s force existing vendors to free the data and we can bring in silicon valley developers, designers, and security experts to do it right.

  12. 40yearold doc says:

    No CPT, ICD, or MU.

    Of course it’s useful, and of course it has nothing in common with a certified EMR.

  13. Thanks for sharing this is more useful to me…..

  14. It’s really a strange phenomenon: the usability of the systems we have to use at work – inside corporations and organizations – is so far behind what is available to us as consumers. And the gap seem to be widening – not closing.

    Enterprise software needs to catch up. We can, and must, demand *consumer-grade usability* at work, too.

    I quoted this post and linked to it here:

    SUNCS is the acronym for “Secretly Using Non-Corporate Software” – another kind of “BYOD” (Bring Your Own Device). Probably even more common …

Leave a Reply


Founder & Publisher

Executive Editor

Editor, Business of Healthcare

Contributing Editor

Contributing Editor

Business Development

Editor-At-Large, Wellness

Editor-At-Large, Europe



The Health Care Blog (THCB) is based in San Francisco. We were founded in 2003 by Matthew Holt. John Irvine joined a year later and now runs the site.


Interview Requests + Bookings. We like to talk. E-mail us.

Yes. We're looking for bloggers. Send us your posts.

Breaking health care story? Drop us an e-mail.


We frequently accept crossposts from smaller blogs and major U.S. and International publications. You'll need syndication rights. Email a link to your submission.


Op-eds. Crossposts. Columns. Great ideas for improving the health care system. Pitches for healthcare-focused startups and business.Write ups of original research. Reviews of new healthcare products and startups. Data-driven analysis of health care trends. Policy proposals. E-mail us a copy of your piece in the body of your email or as a Google Doc. No phone calls please!


Healthcare focused e-books and videos for distribution via THCB and other channels like Amazon and Smashwords. Want to get involved? Send us a note telling us what you have in mind. Proposals should be no more than one page in length.

If you've healthcare professional or consumer and have had a recent experience with the U.S. health care system, either for good or bad, that you want the world to know about, tell us about it. Have a good health care story you think we should know about? Send story ideas and tips to

REPRINTS Questions on reprints, permissions and syndication to



Affordable Care Act
Business of Health Care
National health policy
Life on the front lines
Practice management
Hospital managment
Health plans
Specialty practice
Emergency Medicine
Quality, Costs
Medical education
Med School
Public Health

Electronic medical records
Accountable care organizations
Meaningful use
Online Communities
Open Source
Social media
Tips and Tricks


Health 2.0
Log in - Powered by WordPress.