DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Stolen health information affects 4,000 University of Michigan Health System patients (updated)

Posted on December 22, 2012 by Dissent

Updated to include statement from hospital under original story.

The Detroit Free Press reports that an electronic device stolen from the car of an employee of Omnicell on November 14 contained data on 4,000 patients. The University of Michigan Health System learned of the incident on November 20 and will be notifying 4,000 patients  from three hospitals that unencrypted medication, demographic and health information were on the device. It did not contain Social Security numbers or financial information.

I’ve written to UMHS to request a copy of their statement as well as some additional details, and will update this entry if/when I get more details.

Updated 12-31-2012:  I received the following statement from UMHS:

ANN ARBOR, Mich. — The University of Michigan Health System is notifying approximately 4,000 patients about an incident that may have exposed some of their health information.

UMHS was notified on Nov. 20 by one of its vendors, Omnicell, that Omnicell electronic equipment containing some UMHS patient medication information – as well as patient information for two other hospitals – was stolen on Nov.14. The information did not include addresses, phone numbers, social security numbers, credit card, debit card, or bank account numbers, but did include some demographic and health information.

The electronic equipment was stolen out of an Omnicell employee’s car. A police report was filed, but the equipment has not been recovered. UMHS has determined that the potential patient information exposure occurred because Omnicell’s employee stored data on an unsecured electronic device, which is a violation of UMHS’ and Omnicell’s standard policies and procedures in place to protect private health information. UMHS policy requires that all patient information be stored on an encrypted device – encryption is the strongest and most secure method of protecting data.  

Omnicell has also informed the other two affected hospitals of the incident, and those institutions are also preparing to notify their patients.

“Patient privacy is extremely important to us, and we take this matter very seriously,” says UMHS Chief Compliance Officer Jeanne Strickland. “UMHS has taken immediate steps to investigate this matter.”

An investigation shows that the files on the electronic equipment contained the following demographic information about some patients who were seen between Oct. 24 and Nov.13, 2012: patient name; birth date, UMHS patient number and medical record number. Additionally, one or more of the following clinical information may also have been involved: gender; allergies; admission date and/or discharge date; physician name; patient type (i.e., inpatient, emergency department or outpatient); site and area of the hospital; room number; medication name; and medication dose amount and rate, route, frequency, administration instructions, start time and/or stop time.

As a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions using their information. However, UMHS believes the risk of this occurring is low, partly because the data on the file contains multiple fields that are not readily understood. An analysis of the data would be needed in order to link specific patient names to private health information.

Omnicell is continuing to investigate this incident and is working closely with authorities to locate the stolen equipment and secure all patient information.  Omnicell is also taking steps to improve its security program and practices in response to this incident.

Affected UMHS patients are expected to receive letters in the mail notifying them of this incident within the next couple of days. Patients who have concerns or questions may call toll-free (855) 855-4331, Monday through Friday, from 8 a.m. to 5 p.m., and Saturday, from 8 a.m. to 2 p.m.   

 In response to specific questions I posed to them, a spokesperson responded that they would not disclose the type of device involved:

We are not allowed to say as this is part of a police investigation and it’s quite likely the person or persons who stole the equipment do not know that these records are on the device.

Nor would the spokesperson disclose the names of the other hospitals affected, nor the location of the incident:

Again, per the police investigation, we are not saying where this occurred as we don’t want to alert the person or persons who stole the equipment to the existence of the records. I would like to add that, even if the person did actually find the records, it would be extremely difficult for them to decipher what those records contain.

So far, I haven’t seen any other breach notifications from hospitals that might be part of the same incident, but perhaps they are still working on their notifications.

Category: Health Data

Post navigation

← Verizon FIOS allegedly hacked; 300,000 records dumped; more than 3 million acquired? NO! (updated to include Verizon statements)
Government sites hacked for Project Mayhem →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.