Updated to include statement from hospital under original story.
The Detroit Free Press reports that an electronic device stolen from the car of an employee of Omnicell on November 14 contained data on 4,000 patients. The University of Michigan Health System learned of the incident on November 20 and will be notifying 4,000 patients from three hospitals that unencrypted medication, demographic and health information were on the device. It did not contain Social Security numbers or financial information.
I’ve written to UMHS to request a copy of their statement as well as some additional details, and will update this entry if/when I get more details.
Updated 12-31-2012: I received the following statement from UMHS:
ANN ARBOR, Mich. — The University of Michigan Health System is notifying approximately 4,000 patients about an incident that may have exposed some of their health information.
UMHS was notified on Nov. 20 by one of its vendors, Omnicell, that Omnicell electronic equipment containing some UMHS patient medication information – as well as patient information for two other hospitals – was stolen on Nov.14. The information did not include addresses, phone numbers, social security numbers, credit card, debit card, or bank account numbers, but did include some demographic and health information.
The electronic equipment was stolen out of an Omnicell employee’s car. A police report was filed, but the equipment has not been recovered. UMHS has determined that the potential patient information exposure occurred because Omnicell’s employee stored data on an unsecured electronic device, which is a violation of UMHS’ and Omnicell’s standard policies and procedures in place to protect private health information. UMHS policy requires that all patient information be stored on an encrypted device – encryption is the strongest and most secure method of protecting data.
Omnicell has also informed the other two affected hospitals of the incident, and those institutions are also preparing to notify their patients.
“Patient privacy is extremely important to us, and we take this matter very seriously,” says UMHS Chief Compliance Officer Jeanne Strickland. “UMHS has taken immediate steps to investigate this matter.”
An investigation shows that the files on the electronic equipment contained the following demographic information about some patients who were seen between Oct. 24 and Nov.13, 2012: patient name; birth date, UMHS patient number and medical record number. Additionally, one or more of the following clinical information may also have been involved: gender; allergies; admission date and/or discharge date; physician name; patient type (i.e., inpatient, emergency department or outpatient); site and area of the hospital; room number; medication name; and medication dose amount and rate, route, frequency, administration instructions, start time and/or stop time.
As a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions using their information. However, UMHS believes the risk of this occurring is low, partly because the data on the file contains multiple fields that are not readily understood. An analysis of the data would be needed in order to link specific patient names to private health information.
Omnicell is continuing to investigate this incident and is working closely with authorities to locate the stolen equipment and secure all patient information. Omnicell is also taking steps to improve its security program and practices in response to this incident.
Affected UMHS patients are expected to receive letters in the mail notifying them of this incident within the next couple of days. Patients who have concerns or questions may call toll-free (855) 855-4331, Monday through Friday, from 8 a.m. to 5 p.m., and Saturday, from 8 a.m. to 2 p.m.
In response to specific questions I posed to them, a spokesperson responded that they would not disclose the type of device involved:
We are not allowed to say as this is part of a police investigation and it’s quite likely the person or persons who stole the equipment do not know that these records are on the device.
Nor would the spokesperson disclose the names of the other hospitals affected, nor the location of the incident:
Again, per the police investigation, we are not saying where this occurred as we don’t want to alert the person or persons who stole the equipment to the existence of the records. I would like to add that, even if the person did actually find the records, it would be extremely difficult for them to decipher what those records contain.
So far, I haven’t seen any other breach notifications from hospitals that might be part of the same incident, but perhaps they are still working on their notifications.