Michigan Medicine has informed 870 of its patients that an unencrypted laptop computer has been stolen, exposing some of their protected health information (PHI). An employee of the hospital saved the PHI on a personal laptop computer that was left in his vehicle. The vehicle was broken into and the employee’s bag, which contained the laptop, was stolen. The incident was immediately reported to law enforcement on June 3, 2018. Michigan Medicine was informed on June 4.
The patients whose PHI was stored on the laptop were participants in research studies. The information that was potentially exposed differs from patient to patient, depending on the research study. Information such as patient names, race, gender, medical record numbers, diagnoses and treatment information may have been exposed, although no highly sensitive information such as health plan ID numbers, Social Security numbers and financial data were stored on the laptop. The patients’ addresses and contact numbers were also not exposed.
The Institutional Review Board (IRB) at Michigan Medicine approved all the research studies and the patients involved in the studies gave their consent to the collection and use of their data for research. The IRB has strict privacy and security policies for research involving human subjects and appropriate safeguards must be implemented to ensure the confidentiality of patient data.
Despite the efforts of Michigan Medicine to comply with all the regulations and implement the required security controls, an employee violated the IRB requirements and the policies of Michigan Medicine. The employee involved in the breach incident downloaded the research data to his personal laptop computer without authorization. Michigan Medicine policies require the encryption of patient data on all portable electronic devices, including laptops and portable drives. This is a measure to avoid PHI exposure in case a device is lost or stolen. Michigan Medicine said the laptop was password-protected but the data were not encrypted.
Michigan Medicine has already notified patients about the breach. Even though there is believed to be a low risk of data misuse and the types of data exposed are insufficient to steal identities or commit insurance fraud, patients have still been advised to check their insurance statements for indications of suspicious activity.
This incident prompted Michigan Medicine to conduct additional employee training to emphasize its policies on patient privacy as well as policies involving the use of personal, unencrypted devices for work purposes.