Michigan Medicine says over 800 patients' health data exposed after employee's laptop stolen

Michigan Medicine has revealed over 800 patients' personal and sensitive health information may have been compromised after an employee's personal laptop was stolen. The academic medical center said the employee's personal laptop was stolen on June 3 when his car was broken into and the bag containing the laptop was stolen.

'Limited health information' compromised

The data stored on the laptop included "limited health information" of 870 people collected for research and possibly included patient names, dates of birth, medical record numbers, gender, race, diagnosis and other treatment-related information.

"The research studies involved were approved by the Institutional Review Board (IRB) at Michigan Medicine," the Ann Arbor-based center said in a statement. "The IRB reviews and approves proposed research studies involving human subjects to assure compliance with rigorous federal research regulatory requirements, including patient confidentiality and other human subject protections.

"The IRB approved the collection of limited patient information. However, in violation of the IRB approvals and Michigan Medicine policies, the employee downloaded and stored the research data on his personal laptop."

Michigan Medicine said the laptop was password-protected, but not encrypted, despite a policy already in place mandating patient information must be stored on encrypted devices.

The center said addresses, phone numbers, Social Security numbers, and financial information was not compromised in the breach.

Medical identity theft risks

It also said the risk of fraud is low given no health plan data or personally identifying information was stored in the stolen laptop.

"Michigan Medicine believes the risk of this occurring is low, partly because the data on the electronic device does not include any health plan information or other identifying information that could lead to medical identity theft or financial identity theft," the center said in a statement.

Still, affected patients have been advised to monitor their medical insurance statements for any suspicious activity or evidence of fraudulent transactions.

“Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine has taken immediate steps to investigate this matter,” Jeanne Strickland, Michigan Medicine chief compliance officer, said.

The theft was immediately reported to local police while Michigan Medicine was notified on June 4. The US Department of Health and Human Services Office for Civil Rights has also been notified of the breach.

"Michigan Medicine continues to educate our entire workforce on the importance of following our patient privacy policies," the center added. "In response to this incident, educational materials will be improved to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data."