Michigan Medicine is notifying approximately 870 patients about the theft of a laptop computer that may have exposed some of their health information.
On June 3, 2018, a Michigan Medicine employee’s personal laptop computer was stolen. The theft occurred when the employee’s car was broken into and his bag, which contained the laptop, was stolen. The theft was immediately reported to the local police, and Michigan Medicine was notified on June 4.
The information on the laptop did not include addresses, phone numbers, social security numbers, or credit card, debit card or bank account numbers, but did include some limited health information that was collected for research.
The data stored on the laptop varied based on the research studies, but could have included patient names, birthdates, medical record number, gender, race, diagnosis and other treatment-related information.
The research studies involved were approved by the Institutional Review Board (IRB) at Michigan Medicine. The IRB reviews and approves proposed research studies involving human subjects to assure compliance with rigorous federal research regulatory requirements, including patient confidentiality and other human subject protections.
The IRB approved the collection of limited patient information. However, in violation of the IRB approvals and Michigan Medicine policies, the employee downloaded and stored the research data on his personal laptop. The laptop was password-protected, but it was not encrypted.
Michigan Medicine policy requires that patient information be stored on an encrypted device – encryption is the strongest and most secure method of protecting data.
“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine has taken immediate steps to investigate this matter,” said Jeanne Strickland, Michigan Medicine chief compliance officer.
As a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions using their information. However, Michigan Medicine believes the risk of this occurring is low, partly because the data on the electronic device does not include any health plan information or other identifying information that could lead to medical identity theft or financial identity theft.
Michigan Medicine continues to educate our entire workforce on the importance of following our patient privacy policies. In response to this incident, educational materials will be improved to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data.
As required by Federal law, Michigan Medicine is also notifying the U.S. Department of Health and Human Services Office for Civil Rights.
Affected Michigan Medicine patients are expected to receive letters in the mail notifying them of this incident within the next couple of days. Patients who have concerns or questions may call toll-free 855-336-5900, Monday through Friday, from 8 a.m. to 5 p.m.