Stolen laptop containing information of 4,000 U-M hospital patients still missing
A laptop containing the names and medication information of 4,000 patients at the University of Michigan Health System remains missing more than a month after it was stolen in California.
The laptop belonged to an Omnicell employee. UMHS contracts with the company to program its medication cabinets.
UMHS and Omnicell notified the affected patients last week, about a month after it learned of the theft of the laptop containing patient information. Information of an undetermined number of patients at two other hospitals in markets outside of Michigan was also in files on the laptop, said Todd Simms, Omnicell spokesman.
All of the information on the laptop regards patients that were treated between Oct. 24 and Nov. 13. The names of the two other hospitals involved in the data breach have not been released because they have yet to notify their patients, Simm said.
Omnicell, based in Mountain View, Calif., installs automation equipment and software to help UMHS manage their inventory and medications in its hospitals.
In Omnicell’s 20-year history, there has never been a data breach of patient information from a hospital client before, Simms said, calling it an “isolated incident.”
The employee was a new engineer with Omnicell and had undergone all of the necessary HIPAA training, Simms said. The employee had downloaded certain medication log files containing patient data to analyze some pre-release software intended for use in medication cabinets, Simms said.
The laptop was stolen Nov. 14 from the employee’s car, which was sitting in his driveway at his home in California.
However, the employee violated both Omnicell and UMHS policy by not encrypting the information, Simms said. The laptop was password-protected.
“We have no reason to believe the device was stolen for this information - and it is unlikely the thief would know the information was on the device,” according to a statement from Pete Barkey, director of public relations for UMHS.
Data files on the laptop contained patients’ names, birth dates, UMHS patient number and medical record number, gender, admission and discharge dates, physician name, patient type, location in the hospital, room number, medication name and dosage amounts.
The files did not contain addresses, Social Security numbers or credit card information.
Simms said the data was not clearly marked as patient health information and was not easy to locate and manipulate on the laptop.
“It’s in engineering log file language,” Simms said.
The employee whose laptop was stolen was disciplined and remains employed with Omnicell, Simms said.
“The company is at the end responsible,” Simms said. “We’re doubling our efforts to make sure every single laptop in our company that has any remote possibility of containing patient health information is encrypted.”
Simms said he believes the business relationship between Omnicell and UMHS to be in good standing.
Omnicell notified UMHS Nov. 20 that the laptop had been stolen, and patients were notified about a month later by a joint letter from Omnicell and UMHS.
The delay between the Health System learning of the data breach and when patients were notified is due to internal analysis of the patients affected and the risk, Simms said.
In addition to the ongoing police investigation into the theft of the corporate-issued laptop, Omnicell has a private investigator on the case, Simms said. UMHS’ investigation is ongoing, Barkey said.
The University of Michigan Health System has stated it considers patients to be at a low risk for having their personal information stolen, but has advised affected patients to monitor their health insurance statements to watch for evidence of fraud.
Omnicell will be footing the bill for the call center that has been set up to handle questions and concerns about the data breach, Simms said.
UMHS patients with questions or concerns can call (855) 855-4331 from 8 a.m. to 5 p.m. Mondays through Fridays, and from 8 a.m. to 2 p.m. Saturdays.
Amy Biolchini covers Washtenaw County, health and environmental issues for AnnArbor.com. Reach her at (734) 623-2552, amybiolchini@annarbor.com or on Twitter.
Comments
James Staley
Mon, Jan 7, 2013 : 3:43 a.m.
Usually when something happens at the University of Michigan Medical Center like this the workers in the Computer Department are usually promoted with a big raise in Pay, I know for a fact, I saw it happen after, I told all of the top Administration about sleeping co-workers that were sleeping during during work time and some of the sleeping workers are now Promoted and I was fired after working there for 17 years just before my 50th birthday, I was told I could never work there again after making the co-workers look bad and they just got promoted. The Sleeping working was Stacie Johnson and her supervisor Marilyn Lanzon just promoted her and had me fired. The medical information is now in California and NO one cares. Just like they do not care about the Patients that almost died when I told all of the top administration.
Nicholas Urfe
Sun, Dec 30, 2012 : 2:17 p.m.
The company is trying to blame the "new engineer". That's just spin, and lousy CYA. If the company provided laptop was properly configured according to standard best practices for confidential data, all the data would have been encrypted automatically. It would have been impossible for the engineer to store the data unencryped on the laptop. Apparently umich has a lot of work to do in protecting privacy and verifying vendor compliance. It's a big job.
SonnyDog09
Sun, Dec 30, 2012 : 1:59 p.m.
This incident will be investigated by the HHS Office of Civil Rights (OCR) http://www.hhs.gov/ocr/privacy/index.html OCR will publish their findings and remediation steps that both UMHS and Omnicell will be required to take. This may include provision of credit monitoring to the patients. This incident will be added to the "wall of shame"
Al
Sun, Dec 30, 2012 : 6:21 a.m.
In all likelihood, this computer was stolen, wiped and resold. The patient info should be safe, however if you may have any info in jeopardy be VERY leary.
dading dont delete me bro
Sun, Dec 30, 2012 : 3:07 a.m.
wipe the iCloud?
music to my ear
Sun, Dec 30, 2012 : 2:39 a.m.
so cannot the u of m afford a tracking device, important information like that is worth it I know I ve payed a lot of money to that hosp. great!!!!!
widmer
Sun, Dec 30, 2012 : 3:32 a.m.
So cannot you read the article? It wasn't a UM laptop that was stolen, it belonged to an employee that UM contracts with to provide medication dispensing technology. No hospital can look after every employee of every entity that it must share data with.
JRW
Sat, Dec 29, 2012 : 9:35 p.m.
"The Omnicell spokesman said it's standard practice for its employees to take their laptops out of the office, as mobility is an essential part of the way the company can service its hospital clients -- which is why it's company policy to encrypt files with patient data. The employee violated that policy." Yet, the employee wasn't fired!
seldon
Sun, Dec 30, 2012 : 4:36 p.m.
If you fire employees every time they do something wrong, you're not going to get good results or good employees.
JRW
Sat, Dec 29, 2012 : 9:34 p.m.
"The delay between the Health System learning of the data breach and when patients were notified is due to internal analysis of the patients affected and the risk, Simms said." What the heck does this mean?? An internal analysis of the patients affected and the risk? Need a much more specific explanation of the delay. This entire situation is totally unacceptable. "The University of Michigan Health System has stated it considers patients to be at a low risk for having their personal information stolen, but has advised affected patients to monitor their health insurance statements to watch for evidence of fraud." Huh? UMHS considers this a low risk situation? I disagree. Any stolen medical information is a very serious breach of patient confidentiality. UMHS is minimizing this, of course, to make it look better than it is. They are at fault for not protecting the patient information. Period. Just because Social Security numbers were not involved doesn't make it any less serious. This breach is in violation of HIPPA laws, and those affected should sue. You'll be in court, UMHS. "The employee whose laptop was stolen was disciplined and remains employed with Omnicell, Simms said." The employee wasn't fired??????
widmer
Sun, Dec 30, 2012 : 3:46 a.m.
Greetings. I have significant experience working with Omnicell cabinets over the past several years, and you really could use some better perspective: 1. To begin with, it's HIPAA, not HIPPA. Health Insurance Portability and Accountability Act 2. Why on earth should UMHS be liable? It was data off of a laptop belonging to an employee from a company that UMHS contracts with (Omnicell). Meanwhile, UMHS had not wrongfully provided this information to the Omnicell employee, as this type of information (medication vending transactions) is necessary for Omnicell to evaluate and service their automated dispensing cabinets. 3. It IS a low risk situation. How can you disagree before knowing precisely what information was shared? The Omnicell cabinets only log information regarding which medications were dispensed to the patient from the cabinet during that patient's stay. NOTHING ELSE. There is no social security number, diagnosis, any other part of the patient's file, etc. etc. If I were one of these "affected" patients, I couldn't care less. 4. The delay occurred most likely to simply evaluate how many patients were truly affected. It is easy for me to understand, being that the technician most likely services dozens upon dozens of Omnicell cabinets, and they were trying to figure out who all could have been affected by the theft. So calm down.
leaguebus
Sat, Dec 29, 2012 : 5:17 p.m.
It's amazing that hard drive encryption was not done when the software was loaded originally. I would be leery of this company if I was UM.
Gorc
Sat, Dec 29, 2012 : 3:21 p.m.
If I were one of those four thousand patients, I would ask (demand?) from Omnicell or U of M Health Systems for two years of fraud monitoring protection. It appears the employee violated HIPPA and both organizations internal policies. And according to the article Omnicell is admitting fault. So if they did not honor the request for fraud monitoring protection, the patient would have a strong case in small claims court.
Gorc
Sun, Dec 30, 2012 : 3:08 p.m.
Music to my ears - U of M Health systems and Omnicell sent a joint notification letter to each patient that this impacted. And they disclosed what type of personal information was compromised. The cat is already out of the bag...it would be difficult for them to back peddle at this point.
music to my ear
Sun, Dec 30, 2012 : 2:41 a.m.
but how do we know who information was stolen, they will never admit whos they will just say whats your name, and wait a few minutes oh no your info was not stolen .
SonnyDog09
Sat, Dec 29, 2012 : 2:51 p.m.
"It's in engineering log file language," Simms said. That gave me a good chuckle this morning. I just love it when speakspeople try to explain tech.
PT
Sat, Dec 29, 2012 : 2:41 p.m.
Why was laptop with this hippa protected information in someone's car at his private home? It should not have left the office.
Amy Biolchini
Sat, Dec 29, 2012 : 4:08 p.m.
The Omnicell spokesman said it's standard practice for its employees to take their laptops out of the office, as mobility is an essential part of the way the company can service its hospital clients -- which is why it's company policy to encrypt files with patient data. The employee violated that policy.
SonnyDog09
Sat, Dec 29, 2012 : 2:53 p.m.
One of the major purposes of having a laptop is to be able to work outside the office. I take my work laptop home with me every night. Although I am unlikely to have PHI on my laptop, the disk is encrypted per company policy.
Craig Lounsbury
Sat, Dec 29, 2012 : 2:21 p.m.
I'm no computer geek, one may come along and confirm or refute my notion but...... Its got to be possible to remotely wipe out a hard drive via WiFi isn't it? I can do it with my cell phone.
Al
Sun, Dec 30, 2012 : 6:18 a.m.
This is possible with certain software, unfortunately most companies do not invest in this.
FredMax
Sat, Dec 29, 2012 : 3:02 p.m.
If that solution became too common, thieves would learn to pull all the data off the drive prior to subjecting the laptop to wifi. An encrypted hard drive would provide a more complete solution. It works in other industries.
Craig Lounsbury
Sat, Dec 29, 2012 : 2:41 p.m.
I should add, I mean the technology is available, though maybe not installed on that laptop. But if the technology is available to be installed why wouldn't it be in the interest of public safety?