DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Stolen health information affects 4,000 University of Michigan Health System patients (updated)

Posted on December 22, 2012 by Dissent

Updated to include statement from hospital under original story.

The Detroit Free Press reports that an electronic device stolen from the car of an employee of Omnicell on November 14 contained data on 4,000 patients. The University of Michigan Health System learned of the incident on November 20 and will be notifying 4,000 patients  from three hospitals that unencrypted medication, demographic and health information were on the device. It did not contain Social Security numbers or financial information.

I’ve written to UMHS to request a copy of their statement as well as some additional details, and will update this entry if/when I get more details.

Updated 12-31-2012:  I received the following statement from UMHS:

ANN ARBOR, Mich. — The University of Michigan Health System is notifying approximately 4,000 patients about an incident that may have exposed some of their health information.

UMHS was notified on Nov. 20 by one of its vendors, Omnicell, that Omnicell electronic equipment containing some UMHS patient medication information – as well as patient information for two other hospitals – was stolen on Nov.14. The information did not include addresses, phone numbers, social security numbers, credit card, debit card, or bank account numbers, but did include some demographic and health information.

The electronic equipment was stolen out of an Omnicell employee’s car. A police report was filed, but the equipment has not been recovered. UMHS has determined that the potential patient information exposure occurred because Omnicell’s employee stored data on an unsecured electronic device, which is a violation of UMHS’ and Omnicell’s standard policies and procedures in place to protect private health information. UMHS policy requires that all patient information be stored on an encrypted device – encryption is the strongest and most secure method of protecting data.  

Omnicell has also informed the other two affected hospitals of the incident, and those institutions are also preparing to notify their patients.

“Patient privacy is extremely important to us, and we take this matter very seriously,” says UMHS Chief Compliance Officer Jeanne Strickland. “UMHS has taken immediate steps to investigate this matter.”

An investigation shows that the files on the electronic equipment contained the following demographic information about some patients who were seen between Oct. 24 and Nov.13, 2012: patient name; birth date, UMHS patient number and medical record number. Additionally, one or more of the following clinical information may also have been involved: gender; allergies; admission date and/or discharge date; physician name; patient type (i.e., inpatient, emergency department or outpatient); site and area of the hospital; room number; medication name; and medication dose amount and rate, route, frequency, administration instructions, start time and/or stop time.

As a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions using their information. However, UMHS believes the risk of this occurring is low, partly because the data on the file contains multiple fields that are not readily understood. An analysis of the data would be needed in order to link specific patient names to private health information.

Omnicell is continuing to investigate this incident and is working closely with authorities to locate the stolen equipment and secure all patient information.  Omnicell is also taking steps to improve its security program and practices in response to this incident.

Affected UMHS patients are expected to receive letters in the mail notifying them of this incident within the next couple of days. Patients who have concerns or questions may call toll-free (855) 855-4331, Monday through Friday, from 8 a.m. to 5 p.m., and Saturday, from 8 a.m. to 2 p.m.   

 In response to specific questions I posed to them, a spokesperson responded that they would not disclose the type of device involved:

We are not allowed to say as this is part of a police investigation and it’s quite likely the person or persons who stole the equipment do not know that these records are on the device.

Nor would the spokesperson disclose the names of the other hospitals affected, nor the location of the incident:

Again, per the police investigation, we are not saying where this occurred as we don’t want to alert the person or persons who stole the equipment to the existence of the records. I would like to add that, even if the person did actually find the records, it would be extremely difficult for them to decipher what those records contain.

So far, I haven’t seen any other breach notifications from hospitals that might be part of the same incident, but perhaps they are still working on their notifications.

Related posts:

  • Lawsuit against Omnicell dismissed
Category: Health Data

Post navigation

← Verizon FIOS allegedly hacked; 300,000 records dumped; more than 3 million acquired? NO! (updated to include Verizon statements)
Government sites hacked for Project Mayhem →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.