Omnicell HIPAA Breach More Extensive than First Feared

The theft of an electronic device from an Omnicell employee’s car was announced on 21st December by the University of Michigan Health System (UMHS) to have caused a HIPAA breach affecting 4000 patients of three of its hospitals. Omnicell has now revealed that the breach also affected approximately 56,000 patients at Sentara Health and the records of 8,500 patients of South Jersey Healthcare were also stored on the stolen device.

Sentara Healthcare data related to patients who had visited one of its outpatients clinics or hospitals, although it has now been confirmed that the data is limited to patients of the Sentara CarePlex, Sentara Leigh Hospital, Sentara Norfolk General Hospital, Sentara Obici Hospital, Sentara Princess Anne Hospital, Sentara Virginia Beach General Hospital, Sentara Williamsburg Regional Medical Center, Sentara BelleHarbour, Sentara Independence and Sentara Port Warwick. The records on the device related to visits between Oct 18 and Nov 9, 2012.

Sentara Healthcare issued breach notifications to all affected patients advising them that their clinical and demographic data could have been inappropriately accessed. Sentara Healthcare became aware of the breach on November 20, 2012, five days after the theft occurred.

Omnicell conducted an investigation and determined that the data contained on the device included the names of patients and their dates of birth, patient number and medical record number, although it is possible that other clinical information may also have been present in the database. This “other data” potentially includes details of admission and discharge dates, patient categories, site visited, room number, names of medications issued – including doses and administration method used – and dates that treatment was administered.

Patients were advised that none of the data had been lost and only a copy was present on the stolen device. It also confirmed that no Social Security numbers, credit card details or insurance information was present in the data. The theft has been reported to law enforcement officers and the case is being investigated, although so far the device has not been recovered and the perpetrator has not yet been apprehended.

Omnicell also notified patients of South Jersey Healthcare of the breach. Affected individuals are understood to be those who had visited hospitals between June 1 and Nov 12, 2012. The data exposed also includes some Social Security numbers, although these were not personally identifiable.

Breach letters were dispatched by Omnicell on 31st December 2012 as a precaution to allow affected patients to take action to reduce the possibility of identity and medical fraud. Omnicell does not believe that the device was stolen for the information it contained.

Omnicell also advised the affected individuals that it is taking steps to improve security to prevent any similar incident from occurring in the future. It will be re-training staff and making the necessary technical upgrades to protect all ePHI that it holds.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.