Share this article on:
An unencrypted laptop computer containing the protected health information (PHI) of 870 patients of Michigan Medicine has been stolen.
The PHI was saved on a personal laptop computer which had been left unattended in an employee’s vehicle. A thief broke into the car and stole the employee’s bag, which contacted the device. The theft occurred on June 3, 2018 and it was immediately reported to law enforcement. Michigan Medicine was informed of the theft the following day on June 4.
The laptop contained a range of protected health information of patients who had participated in research studies. The types of information exposed varied depending on the type of research the patients had participated in. Highly sensitive information such as Social Security numbers, health plan ID numbers, and financial information were not stored on the device and addresses and contact telephone numbers were not exposed. The information exposed was limited to names, medical record numbers, gender, race, diagnoses, and treatment information.
All of the research studies had been approved by the Institutional Review Board (IRB) at Michigan Medicine and consent to collect the data and use the information for research had been obtained from the patients. The IRB requires all research studies involving human subjects to comply with strict regulatory requirements, which includes implementing safeguards to ensure patient confidentiality is assured.
While Michigan Medicine complied with all regulations and had implemented appropriate security controls to prevent the exposure of patient data, the employee violated IRB approvals and Michigan Medicine policies by downloading the research data to his personal laptop computer.
Michigan Medicine has policies in place that require all patient data stored on portable electronic devices such as laptop computers to be encrypted to prevent exposure of the data in case of loss or theft of a device. However, since the data were downloaded to a personally owned device without the knowledge of Michigan Medicine, the data were not encrypted; although, the employee’s laptop was protected with a password.
Patients have been notified of the breach and have been advised to monitor their insurance statements for signs of fraudulent activity, although the risk of misuse of data is believed to be low as the device did not contain the types of information necessary for identity theft or insurance fraud.
HIPAA requires patients to be notified of breaches of PHI without unnecessary delay and no later than 60 days following the discovery of a breach. Michigan Medicine should be commended for issuing notifications promptly – within three weeks of the discovery of the breach.
Michigan Medicine has conducted further training of the workforce to reiterate its patient privacy policies and educational materials are being improved “to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data.”