DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Michigan Medicine notifies patients of health information data breach

Posted on June 26, 2018 by Dissent

ANN ARBOR, Mich. — Michigan Medicine is notifying approximately 870 patients about the theft of a laptop computer that may have exposed some of their health information.

On June 3, 2018, a Michigan Medicine employee’s personal laptop computer was stolen. The theft occurred when the employee’s car was broken into and his bag, which contained the laptop, was stolen. The theft was immediately reported to the local police, and Michigan Medicine was notified on June 4.

The information on the laptop did not include addresses, phone numbers, social security numbers, or credit card, debit card or bank account numbers, but did include some limited health information that was collected for research.

The data stored on the laptop varied based on the research studies, but could have included patient names, birthdates, medical record number, gender, race, diagnosis and other treatment-related information.

The research studies involved were approved by the Institutional Review Board (IRB) at Michigan Medicine. The IRB reviews and approves proposed research studies involving human subjects to assure compliance with rigorous federal research regulatory requirements, including patient confidentiality and other human subject protections.

The IRB approved the collection of limited patient information. However, in violation of the IRB approvals and Michigan Medicine policies, the employee downloaded and stored the research data on his personal laptop.  The laptop was password-protected, but it was not encrypted.

Michigan Medicine policy requires that patient information be stored on an encrypted device – encryption is the strongest and most secure method of protecting data.

“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine has taken immediate steps to investigate this matter,” said Jeanne Strickland, Michigan Medicine chief compliance officer.

As a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions using their information. However, Michigan Medicine believes the risk of this occurring is low, partly because the data on the electronic device does not include any health plan information or other identifying information that could lead to medical identity theft or financial identity theft.

Michigan Medicine continues to educate our entire workforce on the importance of following our patient privacy policies. In response to this incident, educational materials will be improved to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data.

As required by Federal law, Michigan Medicine is also notifying the U.S. Department of Health and Human Services Office for Civil Rights.

Affected Michigan Medicine patients are expected to receive letters in the mail notifying them of this incident within the next couple of days. Patients who have concerns or questions may call toll-free 855-336-5900, Monday through Friday, from 8 a.m. to 5 p.m.

Source: University of Michigan, Michigan Medicine

Category: Health DataTheftU.S.

Post navigation

← Comcast fixes another Xfinity website data leak
Judge Dismisses Lawsuit Charging LabCorp with HIPAA Violation →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Central Maine Healthcare tackles suspected cybersecurity issue; hospitals remain open
  • Cartier Data Breach: Luxury Retailer Warns Customers that Personal Data Was Exposed
  • Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics
  • Akira doesn’t keep its promises to victims — SuspectFile
  • Fraudsters, murderers, students: who the GRU assembled a team of hacker provocateurs from and why it failed
  • Order of Psychologists of Lombardy fined 30,000 € for inadequate data security protection and detection following ransomware attack
  • Lower Merion School District says a data breach was caused by a computer glitch (1)
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.