DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Michigan Medicine notifies patients of health information data breach

Posted on June 26, 2018 by Dissent

ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 870 patients about the theft of a laptop computer that may have exposed some of their health information.

On June 3, 2018, a Michigan Medicine employee’s personal laptop computer was stolen. The theft occurred when the employee’s car was broken into and his bag, which contained the laptop, was stolen. The theft was immediately reported to the local police, and Michigan Medicine was notified on June 4.

The information on the laptop did not include addresses, phone numbers, social security numbers, or credit card, debit card or bank account numbers, but did include some limited health information that was collected for research.

The data stored on the laptop varied based on the research studies, but could have included patient names, birthdates, medical record number, gender, race, diagnosis and other treatment-related information.

The research studies involved were approved by the Institutional Review Board (IRB) at Michigan Medicine. The IRB reviews and approves proposed research studies involving human subjects to assure compliance with rigorous federal research regulatory requirements, including patient confidentiality and other human subject protections.

The IRB approved the collection of limited patient information. However, in violation of the IRB approvals and Michigan Medicine policies, the employee downloaded and stored the research data on his personal laptop.  The laptop was password-protected, but it was not encrypted.

Michigan Medicine policy requires that patient information be stored on an encrypted device – encryption is the strongest and most secure method of protecting data.

“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine has taken immediate steps to investigate this matter,” said Jeanne Strickland, Michigan Medicine chief compliance officer.

As a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions using their information. However, Michigan Medicine believes the risk of this occurring is low, partly because the data on the electronic device does not include any health plan information or other identifying information that could lead to medical identity theft or financial identity theft.

Michigan Medicine continues to educate our entire workforce on the importance of following our patient privacy policies. In response to this incident, educational materials will be improved to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data.

As required by Federal law, Michigan Medicine is also notifying the U.S. Department of Health and Human Services Office for Civil Rights.

Affected Michigan Medicine patients are expected to receive letters in the mail notifying them of this incident within the next couple of days. Patients who have concerns or questions may call toll-free 855-336-5900, Monday through Friday, from 8 a.m. to 5 p.m.

Source: University of Michigan, Michigan Medicine

Category: Health DataTheftU.S.

Post navigation

← Comcast fixes another Xfinity website data leak
Judge Dismisses Lawsuit Charging LabCorp with HIPAA Violation →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack
  • Marquette County Medical Care Facility discloses data breach
  • Industry Letter – June 23, 2025: Impact to Financial Sector of Ongoing Global Conflicts
  • MNGI Digestive Health settles class action lawsuit stemming from BlackCat attack
  • Four REvil ransomware members released after time served on carding charges
  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.