Stolen laptop containing information of 4,000 U-M hospital patients still missing
A laptop containing the names and medication information of 4,000 patients at the University of Michigan Health System remains missing more than a month after it was stolen in California.
The laptop belonged to an Omnicell employee. UMHS contracts with the company to program its medication cabinets.
UMHS and Omnicell notified the affected patients last week, about a month after it learned of the theft of the laptop containing patient information. Information of an undetermined number of patients at two other hospitals in markets outside of Michigan was also in files on the laptop, said Todd Simms, Omnicell spokesman.
All of the information on the laptop regards patients that were treated between Oct. 24 and Nov. 13. The names of the two other hospitals involved in the data breach have not been released because they have yet to notify their patients, Simm said.
Omnicell, based in Mountain View, Calif., installs automation equipment and software to help UMHS manage their inventory and medications in its hospitals.
In Omnicell’s 20-year history, there has never been a data breach of patient information from a hospital client before, Simms said, calling it an “isolated incident.”
The employee was a new engineer with Omnicell and had undergone all of the necessary HIPAA training, Simms said. The employee had downloaded certain medication log files containing patient data to analyze some pre-release software intended for use in medication cabinets, Simms said.
The laptop was stolen Nov. 14 from the employee’s car, which was sitting in his driveway at his home in California.
However, the employee violated both Omnicell and UMHS policy by not encrypting the information, Simms said. The laptop was password-protected.
“We have no reason to believe the device was stolen for this information - and it is unlikely the thief would know the information was on the device,” according to a statement from Pete Barkey, director of public relations for UMHS.
Data files on the laptop contained patients’ names, birth dates, UMHS patient number and medical record number, gender, admission and discharge dates, physician name, patient type, location in the hospital, room number, medication name and dosage amounts.
The files did not contain addresses, Social Security numbers or credit card information.
Simms said the data was not clearly marked as patient health information and was not easy to locate and manipulate on the laptop.
“It’s in engineering log file language,” Simms said.
The employee whose laptop was stolen was disciplined and remains employed with Omnicell, Simms said.
“The company is at the end responsible,” Simms said. “We’re doubling our efforts to make sure every single laptop in our company that has any remote possibility of containing patient health information is encrypted.”
Simms said he believes the business relationship between Omnicell and UMHS to be in good standing.
Omnicell notified UMHS Nov. 20 that the laptop had been stolen, and patients were notified about a month later by a joint letter from Omnicell and UMHS.
The delay between the Health System learning of the data breach and when patients were notified is due to internal analysis of the patients affected and the risk, Simms said.
In addition to the ongoing police investigation into the theft of the corporate-issued laptop, Omnicell has a private investigator on the case, Simms said. UMHS’ investigation is ongoing, Barkey said.
The University of Michigan Health System has stated it considers patients to be at a low risk for having their personal information stolen, but has advised affected patients to monitor their health insurance statements to watch for evidence of fraud.
Omnicell will be footing the bill for the call center that has been set up to handle questions and concerns about the data breach, Simms said.
UMHS patients with questions or concerns can call (855) 855-4331 from 8 a.m. to 5 p.m. Mondays through Fridays, and from 8 a.m. to 2 p.m. Saturdays.