Ann Arbor-based Michigan Medicine is notifying approximately 870 patients after an employee's personal laptop computer that stored limited health information collected for research was stolen from his car June 3.
The theft was immediately reported to local police, and Michigan Medicine was notified June 4.
The laptop contained data used for research studies and could have included patients' names, birthdates, medical record numbers, genders, races, diagnoses and other treatment-related information. Addresses, phone numbers, Social Security numbers and financial data were not compromised.
The research studies were approved by Michigan Medicine's Institutional Review Board, which OK'd the use of limited patient information. However, the employee violated IRB and Michigan Medicine policies when he downloaded and stored the data on his personal laptop. Although the laptop was password protected, it was not encrypted, and hospital policy mandates patient information be kept on an encrypted device.
Becker's Hospital Review asked Michigan Medicine whether the employee has been reprimanded, and a hospital spokesperson said it is "investigating the matter."
"Patient privacy is extremely important to us, and we take this matter very seriously. Michigan Medicine has taken immediate steps to investigate this matter," Jeanne Strickland, Michigan Medicine chief compliance officer, said in a press release. Hospital staff have received educational information concerning the use of personal, unencrypted devices for storage of research data.
Michigan Medicine believes there is a low risk that the patient information will be misused since the data on the laptop does not include any health plan or other identifying information commonly used to commit medical or financial identity theft.
More articles on cybersecurity:
Federal court reaffirms individual patients cannot file HIPAA lawsuits: 5 things to know
Report: New scam demands ransom payment — but does not deploy ransomware
Man's antenna picks up PHI from pagers at 5+ hospitals