Michigan Medicine Reports Hundreds of Patients of PHI Disclosure

June 30, 2018


An unencrypted laptop computer having the protected health information (PHI) of 870 patients of Michigan Medicine has been thieved.

The PHI was stored on a private laptop computer which had been left unattended in a worker’s automobile. A thief broke into the car and thieved the worker’s bag, which contained the appliance. The thievery happened on June 3, 2018 and it was instantly reported to police. Michigan Medicine was told of the thievery the next day on June 4.

The laptop had a variety of PHI of patients who had taken part in research studies. The kinds of information disclosed differed depending on the kind of research the patients had contributed in. Extremely confidential information like health plan ID numbers, Social Security numbers, and financial information were not saved on the appliance and contact telephone numbers and addresses were not disclosed. The information disclosed was restricted to names, diagnoses, race, gender, medical record numbers, and cure information.

All of the research lessons had been sanctioned by the Institutional Review Board (IRB) at Michigan Medicine and approval to gather the data and use the information for research had been gotten from the patients. The IRB needs all research lessons involving human subjects to abide by stringent regulatory requirements, which contains applying protections to make sure patient secrecy is guaranteed.

Although Michigan Medicine followed all rules and had applied correct safety controls to avoid the disclosure of patient data, the worker breached IRB approvals and Michigan Medicine rules by downloading the research data to his private laptop computer.

Michigan Medicine has rules in place that need all patient data saved on moveable electronic appliances like laptop computers to be encrypted to avoid disclosure of the data in case of theft or loss of an appliance. Nevertheless, as the data were downloaded to a personally possessed appliance without the knowledge of Michigan Medicine, the data were not encrypted; even though, the worker’s laptop was safeguarded with a password.

Patients have been informed of the breach and have been instructed to check their insurance statements for indications of fake activity, even though the danger of abuse of data is supposed to be little as the appliance didn’t contain the kinds of information required for insurance fraud or identity theft.

HIPAA needs patients to be informed of breaches of PHI without avoidable delay and no later than 60 days after the detection of a breach. Michigan Medicine must be applauded for issuing notices quickly – within three weeks of the detection of the breach.

Michigan Medicine has carried out additional training of the staff to reiterate its patient secrecy policies and academic materials are being upgraded “to further increase key messages concerning the forbidden use of private, unencrypted appliances for storing of research data.”