Device containing health information of 4,000 U-M Health System patients stolen
The University of Michigan Health System plans to notify roughly 4,000 patients who were seen this fall that some of their health information may have been stolen, the Detroit Free Press reports.
Omnicell, a medication and supply management and business analytics vendor, notified the health system last month that electronic equipment containing patient information was stolen from the car of an employee on Nov. 14. Included was medication, demographic and health information about patients at three hospitals who were treated between Oct. 24 and Nov. 13.
Omnicell said the data was on an unsecured electronic device, a violation of its and U-M's standard policies and procedures.
The information did not include addresses, phone numbers, Social Security numbers or financial information.
Patients affected by the theft should receive letters in the coming days.
For more, read the Free Press story.
Comments
seasons
Mon, Dec 24, 2012 : 4:56 p.m.
What a terrible headline! It is so totally misleading. Yes, information was stolen concerning U of M Health System patients, but not from the U of M and not from the U of M alone. Shame on you.
Unusual Suspect
Mon, Dec 24, 2012 : 4:59 p.m.
The headline doesn't say the information was stolen from U of M.
SonnyDog09
Mon, Dec 24, 2012 : 3:56 p.m.
HHS takes these events very seriously. They keep a list of organizations that had breaches affecting more than 500 patients here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html Neither the organizations, nor the professionals involved want to be on the "wall of shame."
Duane Collicott
Mon, Dec 24, 2012 : 2:51 p.m.
Message for Omnicell: encrypted hard drives. Move into the current decade.
Kai Petainen
Mon, Dec 24, 2012 : 2:09 p.m.
Come on! Can't the hospital get a break? This year has been nasty for the hospital. Hopefully, in 8 days they can start fresh... with a new year.
real_plastic
Mon, Dec 24, 2012 : 3:56 p.m.
a break from scrutiny ? no. could they be as careful with the business side of things as they are actual medical care? definitely.
SonnyDog09
Mon, Dec 24, 2012 : 2:01 p.m.
The thieves usually do not know that the device contains PHI. They steal the device to sell it. That said, the device should have been encrypted. Failure to do so is irresponsible and lazy.
walker101
Mon, Dec 24, 2012 : 12:51 p.m.
Hope fully this electronic device had the a FIND ME application, no that would of been to difficult for management to mandate to insure if something like this would of happened could of easily been resolved.
babs
Mon, Dec 24, 2012 : 5:21 a.m.
The letter we received last week from Omnicell about this incident was very specific about the data that was stolen. And gave a good example of the way the data would look (quite messy, computer style) to the persons that may view the data. I am sure someone with evil intent would find out what meds were given to my family member and the U of M registration number and the MD name and the diagnosis. But the diagnosis has already been made public through our own accord to promote further research. The U of M Comprehensive Cancer Center is totally responsible for the fact that he is still alive and happy living with Stage 4 cancer for years. They are not at all responsible for negligence on the part of a vendor's employee. Don't hate just for the sake of hating. Hate is too stressing and life is too SHORT!
seekerofwisdom
Mon, Dec 24, 2012 : 2:56 p.m.
Life IS too short. It doesn't mean that everyone is comfortable with a flawed system. Technology aside, this is reprehensible on every level. Stop trivializing this crime. Seriously, can we really trust Omnicell to tell the truth? They stand to lose.....a lot!
babs
Mon, Dec 24, 2012 : 5:28 a.m.
PS: However, I did not like the fact that the Omnicell Company sent a letter FIRST. I feel the news should have come from the care provider, U of M, FIRST. But still not worth hatin on them!!.
Veracity
Mon, Dec 24, 2012 : 5:13 a.m.
What concerns me more is whether the UofM has eliminated the security defect that allowed patient data to be downloaded to a laptop computer or to a flash drive. As long as this breach can be repeated no patient at UofM is safe from having personal information stolen. If the data obtained includes names, addresses, birth dates, and social security numbers then identities can be stolen with resulting financial hardship. I am wondering how this breach was discovered in the first place?
Krupper1
Mon, Dec 24, 2012 : 4:51 a.m.
Jeepers, I can't wait until my health information is part of a national database. . . I'm sure it will be secure from interlopers such as employers and insurers . . .
cfsunlet
Mon, Dec 24, 2012 : 3:15 p.m.
This was a business working with the UMHS that lost the information, not the patients' employers or insurers.
SonnyDog09
Mon, Dec 24, 2012 : 2:04 p.m.
As a patient, you will have the right to view the audit log that details who has accessed your health information. In this case, where an extract was made for a third party to work on, the audit log would not contain that. However, best practice is to build extracts like this with PHI removed.
Krupper1
Mon, Dec 24, 2012 : 4:53 a.m.
Oh, and bureaucrats too!
talker
Mon, Dec 24, 2012 : 4:41 a.m.
Demographic information likely means names, addresses, and phone numbers. At least SS numbers weren't included. Will letters to patients be more specific about what infomation was stolen? I hope it's true that credit card numbers and especially Social Security numbers weren't stolen.
Michigan Man
Sun, Dec 23, 2012 : 11:54 p.m.
Oh my! Bonds downgraded, faculty scandal involving insider trading, residents with porn, operating budget problems and now theft of confidential patient all in ONE year!
Gorc
Sun, Dec 23, 2012 : 11:28 p.m.
Electronic equipment....It would be nice to know what type of devise was stolen. Certain types of electronic devises can have their information remotely wiped out if lost or stolen.
Greg
Sun, Dec 23, 2012 : 11:16 p.m.
U of MI has policies in place to prevent this and if devices are stolen, they have encoded data so as not to be of any use to the thieves. If a company doing business with the hospital ignores clearly stated policy, then they are responsible for any damages. Just saying the U has deep pockets and is evil because it is big is nuts.
townie54
Mon, Dec 24, 2012 : 4:57 p.m.
u of m hired this company therefore they share resonsibility
Homeland Conspiracy
Sun, Dec 23, 2012 : 10:20 p.m.
Let's steal Blimpy's back
nickcarraweigh
Sun, Dec 23, 2012 : 9:45 p.m.
Golly, does mean someone may have the wavelength frequency of my heart monitor and be able to manipul ------------- AWWKKK
JRW
Sun, Dec 23, 2012 : 9:27 p.m.
Absolutely unacceptable. I hope there are lawsuits to follow. UM of course downplays and misleads with the statement: "some of their health information may have been stolen." MAY have been stolen? The article states: "vendor notified the health system last month that electronic equipment containing patient information was stolen from the car of an employee on Nov. 14. Included was medication, demographic and health information about patients at three hospitals who were treated between Oct. 24 and Nov. 13." So the health information WAS stolen on an unsecured electronic device, but UM says it MIGHT have been stolen. Ha. Who are you going to believe? Worse yet, more than a month has passed since the theft of the data and we are just learning this now??? Patients haven't even received letters about this theft for 6 weeks! UM needs to be sued.
treetowncartel
Mon, Dec 24, 2012 : 1:32 p.m.
I agree with Gorc. What are the damages?
Gorc
Sun, Dec 23, 2012 : 11:33 p.m.
JRW...if you we're to bring civil litigation against the university, what would be your financial losses at this point?
a2cents
Sun, Dec 23, 2012 : 8:42 p.m.
Is the person responsible still employed?
dsponini
Mon, Dec 24, 2012 : 2:21 p.m.
It was stolen from a car, should the car be impounded for not preventing the theft?