You are viewing this article in the archives. For the latest breaking news and updates in Ann Arbor and the surrounding area, see
Posted on Sun, Dec 23, 2012 : 3:04 p.m.

Device containing health information of 4,000 U-M Health System patients stolen

By Freelance Journalist

The University of Michigan Health System plans to notify roughly 4,000 patients who were seen this fall that some of their health information may have been stolen, the Detroit Free Press reports.

Omnicell, a medication and supply management and business analytics vendor, notified the health system last month that electronic equipment containing patient information was stolen from the car of an employee on Nov. 14. Included was medication, demographic and health information about patients at three hospitals who were treated between Oct. 24 and Nov. 13.

Omnicell said the data was on an unsecured electronic device, a violation of its and U-M's standard policies and procedures.

The information did not include addresses, phone numbers, Social Security numbers or financial information.

Patients affected by the theft should receive letters in the coming days.

For more, read the Free Press story.



Mon, Dec 24, 2012 : 4:56 p.m.

What a terrible headline! It is so totally misleading. Yes, information was stolen concerning U of M Health System patients, but not from the U of M and not from the U of M alone. Shame on you.

Unusual Suspect

Mon, Dec 24, 2012 : 4:59 p.m.

The headline doesn't say the information was stolen from U of M.


Mon, Dec 24, 2012 : 3:56 p.m.

HHS takes these events very seriously. They keep a list of organizations that had breaches affecting more than 500 patients here: Neither the organizations, nor the professionals involved want to be on the "wall of shame."

Duane Collicott

Mon, Dec 24, 2012 : 2:51 p.m.

Message for Omnicell: encrypted hard drives. Move into the current decade.

Kai Petainen

Mon, Dec 24, 2012 : 2:09 p.m.

Come on! Can't the hospital get a break? This year has been nasty for the hospital. Hopefully, in 8 days they can start fresh... with a new year.


Mon, Dec 24, 2012 : 3:56 p.m.

a break from scrutiny ? no. could they be as careful with the business side of things as they are actual medical care? definitely.


Mon, Dec 24, 2012 : 2:01 p.m.

The thieves usually do not know that the device contains PHI. They steal the device to sell it. That said, the device should have been encrypted. Failure to do so is irresponsible and lazy.


Mon, Dec 24, 2012 : 12:51 p.m.

Hope fully this electronic device had the a FIND ME application, no that would of been to difficult for management to mandate to insure if something like this would of happened could of easily been resolved.


Mon, Dec 24, 2012 : 5:21 a.m.

The letter we received last week from Omnicell about this incident was very specific about the data that was stolen. And gave a good example of the way the data would look (quite messy, computer style) to the persons that may view the data. I am sure someone with evil intent would find out what meds were given to my family member and the U of M registration number and the MD name and the diagnosis. But the diagnosis has already been made public through our own accord to promote further research. The U of M Comprehensive Cancer Center is totally responsible for the fact that he is still alive and happy living with Stage 4 cancer for years. They are not at all responsible for negligence on the part of a vendor's employee. Don't hate just for the sake of hating. Hate is too stressing and life is too SHORT!


Mon, Dec 24, 2012 : 2:56 p.m.

Life IS too short. It doesn't mean that everyone is comfortable with a flawed system. Technology aside, this is reprehensible on every level. Stop trivializing this crime. Seriously, can we really trust Omnicell to tell the truth? They stand to lose.....a lot!


Mon, Dec 24, 2012 : 5:28 a.m.

PS: However, I did not like the fact that the Omnicell Company sent a letter FIRST. I feel the news should have come from the care provider, U of M, FIRST. But still not worth hatin on them!!.


Mon, Dec 24, 2012 : 5:13 a.m.

What concerns me more is whether the UofM has eliminated the security defect that allowed patient data to be downloaded to a laptop computer or to a flash drive. As long as this breach can be repeated no patient at UofM is safe from having personal information stolen. If the data obtained includes names, addresses, birth dates, and social security numbers then identities can be stolen with resulting financial hardship. I am wondering how this breach was discovered in the first place?


Mon, Dec 24, 2012 : 4:51 a.m.

Jeepers, I can't wait until my health information is part of a national database. . . I'm sure it will be secure from interlopers such as employers and insurers . . .


Mon, Dec 24, 2012 : 3:15 p.m.

This was a business working with the UMHS that lost the information, not the patients' employers or insurers.


Mon, Dec 24, 2012 : 2:04 p.m.

As a patient, you will have the right to view the audit log that details who has accessed your health information. In this case, where an extract was made for a third party to work on, the audit log would not contain that. However, best practice is to build extracts like this with PHI removed.


Mon, Dec 24, 2012 : 4:53 a.m.

Oh, and bureaucrats too!


Mon, Dec 24, 2012 : 4:41 a.m.

Demographic information likely means names, addresses, and phone numbers. At least SS numbers weren't included. Will letters to patients be more specific about what infomation was stolen? I hope it's true that credit card numbers and especially Social Security numbers weren't stolen.

Michigan Man

Sun, Dec 23, 2012 : 11:54 p.m.

Oh my! Bonds downgraded, faculty scandal involving insider trading, residents with porn, operating budget problems and now theft of confidential patient all in ONE year!


Sun, Dec 23, 2012 : 11:28 p.m.

Electronic equipment....It would be nice to know what type of devise was stolen. Certain types of electronic devises can have their information remotely wiped out if lost or stolen.


Sun, Dec 23, 2012 : 11:16 p.m.

U of MI has policies in place to prevent this and if devices are stolen, they have encoded data so as not to be of any use to the thieves. If a company doing business with the hospital ignores clearly stated policy, then they are responsible for any damages. Just saying the U has deep pockets and is evil because it is big is nuts.


Mon, Dec 24, 2012 : 4:57 p.m.

u of m hired this company therefore they share resonsibility

Homeland Conspiracy

Sun, Dec 23, 2012 : 10:20 p.m.

Let's steal Blimpy's back


Sun, Dec 23, 2012 : 9:45 p.m.

Golly, does mean someone may have the wavelength frequency of my heart monitor and be able to manipul ------------- AWWKKK


Sun, Dec 23, 2012 : 9:27 p.m.

Absolutely unacceptable. I hope there are lawsuits to follow. UM of course downplays and misleads with the statement: "some of their health information may have been stolen." MAY have been stolen? The article states: "vendor notified the health system last month that electronic equipment containing patient information was stolen from the car of an employee on Nov. 14. Included was medication, demographic and health information about patients at three hospitals who were treated between Oct. 24 and Nov. 13." So the health information WAS stolen on an unsecured electronic device, but UM says it MIGHT have been stolen. Ha. Who are you going to believe? Worse yet, more than a month has passed since the theft of the data and we are just learning this now??? Patients haven't even received letters about this theft for 6 weeks! UM needs to be sued.


Mon, Dec 24, 2012 : 1:32 p.m.

I agree with Gorc. What are the damages?


Sun, Dec 23, 2012 : 11:33 p.m.

JRW...if you we're to bring civil litigation against the university, what would be your financial losses at this point?


Sun, Dec 23, 2012 : 8:42 p.m.

Is the person responsible still employed?


Mon, Dec 24, 2012 : 2:21 p.m.

It was stolen from a car, should the car be impounded for not preventing the theft?