University of Michigan Health Systems Admits Patient Data Stolen

UPDATE – Some 4,000 University of Michigan Health Systems patients had their medical data compromised last month when a vendor’s laptop containing medication log files was stolen from a vehicle.That medication management provider, Mountain View, Calif.-based Omnicell, admits it violated both its own and UMHS hospitals’ data storage policies when it left patients’ demographics, medication regimes and admissions records on an unsecured device that was stolen from an Omnicell employee’s car on Nov. 14.

UPDATE – Some 4,000 University of Michigan Health Systems patients had their medical data compromised last month when a vendor’s laptop containing medication log files was stolen from a vehicle.

University of Michigan

That medication management provider, Mountain View, Calif.-based Omnicell, admits it violated both its own and UMHS hospitals’ data storage policies when it left patients’ demographics, medication regimes and admissions records on an unsecured device that was stolen from an Omnicell employee’s car on Nov. 14.

The stolen data did not contain personal identification such as addresses, phone numbers, Social Security numbers or financial data, according to The Detroit Free Press.

Impacted patients were notified by letter beginning last week, the report said.

The UMHS theft is just one in a long line of hospital data security breaches this year, many the result of missing or stolen devices or discs that held patient data.

Yesterday, in an ongoing series, the Washington Post published a report, a year in the making, on the health care sector’s vulnerability to hackers. One reason may be health care data security laws, such as security and privacy provisions in HIPAA, have not kept up with technology and (sometimes outdated) software is left unpatched.

“Security researchers are starting to turn up the same kinds of trivial-seeming flaws that earlier opened the way for hackers to penetrate financial services networks, Pentagon systems and computers at firms such as Google,” the report said.

In one example of lax security practices, a University of Chicago medical center used an unsecured Dropbox account and single username and password (published in an online manual) to manage patient care via residents’ iPads.

The risks go beyond identity theft and fraud. In recent years a security researcher known as Barnaby Jack has demonstrated how insulin pumps and pacemakers could be controlled wirelessly to remotely send lethal doses and voltage to patients.

Since August 2009, when HIPAA’s Breach Notification Rule took effect, approximately 21 million patient records have been breached, according to the U.S. Department of Health and Human Services. That figure doesn’t account for any health care system that falls outside the under-500-patients exemption.

This article was updated Dec. 28 to clarify that a vendor’s laptop and not hospital equipment was stolen from a car.

Suggested articles