When an electronic device with unencrypted patient information was stolen from the unattended vehicle of an Omnicell employee, the University of Michigan Health System notified 3,997 of their patients, but there were other hospitals that were not named at the time.
Thanks to WVEC, we now know 56,000 Sentara Healthcare patients treated between Oct. 18 and Nov. 9 at seven Sentara hospitals and three outpatient care centers in Hampton Roads, Virginia were also impacted by the theft. Sentara posted a notice on their web site that says, in part:
Omnicell’s investigation concluded that the device may have contained clinical and demographic information about Sentara patients, including patient name, birth date, patient number and medical record number. Additionally, one or more of the following clinical information may have been involved:
Gender; allergies; admission date and/or discharge date; physician name; patient type (i.e., inpatient, emergency department or outpatient); site and area of the hospital (e.g., specific inpatient or outpatient unit/area); room number; medication name; and medication dose amount and rate, route (e.g., oral, infusion, etc.), frequency, administration instructions, and start time and/or stop time.
Patient medical records were not on the device, and patient medical information has not been lost. Also, no financial, bank account information, Social Security number, or insurance information pertaining to any Sentara patient was on the device.
The incident affected only certain patients treated between October 18, 2012 and November 9, 2012 at Sentara CarePlex, Sentara Leigh Hospital, Sentara Norfolk General Hospital, Sentara Obici Hospital, Sentara Princess Anne Hospital, Sentara Virginia Beach General Hospital, Sentara Williamsburg Regional Medical Center, Sentara BelleHarbour, Sentara Independence, and Sentara Port Warwick.
Thanks to WVEC? Actually, the notice was mailed to three newspapers in the Hampton Roads region and posted on http://www.sentara.com, in addition to the individual letters mailed to every patient thought to be affected. WVEC published the Virginian-Pilot brief during the afternoon and sent a videographer, alone, to interview our chief privacy officer.
It was WVEC that made me aware of it, so I gave them the hat-tip.