Michigan Medicine Informs Hundreds of Patients of PHI Exposure

July 2, 2018


An unencrypted laptop computer having the protected health information (PHI) of 870 patients of Michigan Medicine has been thieved.

The PHI was saved on a private laptop computer which had been left unattended in a worker’s automobile. A thief broke into the car and thieved the worker’s bag, which contained the appliance. The thievery happened on June 3, 2018 and it was instantly informed to police. Michigan Medicine was informed of the thievery the next day on June 4.

The laptop had a variety of PHI of patients who had taken part in research studies. The kinds of information exposed differed depending on the kind of research the patients had taken part in. Extremely confidential information like health plan ID numbers, Social Security numbers, and financial information were not stored on the appliance and addresses and contact telephone numbers were not revealed. The information revealed was restricted to names, diagnoses, race, gender, medical record numbers, and treatment information.

All of the research reports had been accepted by the Institutional Review Board (IRB) at Michigan Medicine and approval to get the data and use the information for research had been gotten from the patients. The IRB needs all research studies involving human matters to abide by stringent monitoring requirements, which contains applying protections to make sure patient secrecy is guaranteed.

Although Michigan Medicine obeyed all rules and had applied proper safety controls to avoid the disclosure of patient data, the worker disobeyed IRB approvals and Michigan Medicine rules by downloading the research data to his private laptop computer.

Michigan Medicine has rules in place that need all patient data saved on moveable electronic appliances like laptop computers to be encrypted to avoid disclosure of the data in case of theft or loss of an appliance. Nevertheless, as the data were downloaded to an individually owned appliance without the knowledge of Michigan Medicine, the data were not encoded; even though, the worker’s laptop was safeguarded with a password.

Patients have been informed of the violation and have been advised to check their insurance statements for indications of fake activity, even though the danger of abuse of data is supposed to be low as the appliance didn’t contain the kinds of information required for identity thievery or insurance scam.

HIPAA needs patients to be informed of violations of PHI without needless delay and no later than 60 days after the detection of a violation. Michigan Medicine must be applauded for issuing notices quickly – within three weeks of the detection of the breach.

Michigan Medicine has carried out additional training of the staff to reiterate its patient secrecy rules and educational resources are being improved “to further increase main messages concerning the forbidden use of private, unencrypted appliances for storing of research data.”