An unencrypted laptop computer having the protected health information (PHI) of 870 patients of Michigan Medicine has been thieved.
The PHI was saved on a private laptop computer which had been placed unattended in a worker’s vehicle. A robber broke into the car and thieved the worker’s bag, which contained the appliance. The thievery happened on June 3, 2018 and it was instantly reported to law enforcement. Michigan Medicine was apprised of the thievery the next day on June 4.
The laptop had a variety of PHI of patients who had taken part in research studies. The kinds of information disclosed differed depending on the kind of research the patients had taken part in. Extremely confidential information like health plan ID numbers, Social Security numbers, and financial information were not saved on the appliance and addresses and contact phone numbers were not disclosed. The information disclosed was restricted to names, diagnoses, diagnoses, gender, medical record numbers, race, and treatment information.
All of the research lessons had been accepted by the Institutional Review Board (IRB) at Michigan Medicine and approval to gather the data and use the information for research had been gotten from the patients. The IRB needs all research lessons involving human subjects to follow stringent regulatory requirements, which contains applying safeguards to make sure patient secrecy is guaranteed.
Although Michigan Medicine conformed to all rules and had applied correct safety controls to avoid the disclosure of patient data, the worker breached IRB approvals and Michigan Medicine rules by downloading the research data to his private laptop computer.
Michigan Medicine has rules in place that need all patient data saved on moveable electronic appliances like laptop computers to be encoded to avoid disclosure of the data in case of loss or theft of an appliance. Nevertheless, as the data were downloaded to a personally possessed appliance without the knowledge of Michigan Medicine, the data were not encoded; though, the worker’s laptop was safeguarded with a password.
Patients have been informed of the breach and have been recommended to check their insurance statements for indications of fake activity, though the danger of abuse of data is supposed to be low as the appliance didn’t have the kinds of information required for identity thievery or insurance scam.
HIPAA needs patients to be informed of breaches of PHI without unnecessary delay and no later than 60 days after the detection of a breach. Michigan Medicine must be praised for issuing notices swiftly – within three weeks of the detection of the breach.
Michigan Medicine has carried out additional training of the staff to reiterate its patient secrecy policies and educational materials are being upgraded “to further increase key messages concerning the forbidden use of private, unencrypted appliances for storing of research data.”