PHI of 870 Patients of Michigan Medicine Potentially Exposed Due to Laptop Theft

Michigan Medicine has informed 870 of its patients that an unencrypted laptop computer has been stolen, exposing some of their protected health information (PHI). An employee of the hospital saved the PHI on a personal laptop computer that was left in his vehicle. The vehicle was broken into and the employee’s bag, which contained the laptop, was stolen. The incident was immediately reported to law enforcement on June 3, 2018. Michigan Medicine was informed on June 4.

The patients whose PHI was stored on the laptop were participants in research studies. The information that was potentially exposed differs from patient to patient, depending on the research study. Information such as patient names, race, gender, medical record numbers, diagnoses and treatment information may have been exposed, although no highly sensitive information such as health plan ID numbers, Social Security numbers and financial data were stored on the laptop. The patients’ addresses and contact numbers were also not exposed.

The Institutional Review Board (IRB) at Michigan Medicine approved all the research studies and the patients involved in the studies gave their consent to the collection and use of their data for research. The IRB has strict privacy and security policies for research involving human subjects and appropriate safeguards must be implemented to ensure the confidentiality of patient data.

Despite the efforts of Michigan Medicine to comply with all the regulations and implement the required security controls, an employee violated the IRB requirements and the policies of Michigan Medicine. The employee involved in the breach incident downloaded the research data to his personal laptop computer without authorization. Michigan Medicine policies require the encryption of patient data on all portable electronic devices, including laptops and portable drives. This is a measure to avoid PHI exposure in case a device is lost or stolen. Michigan Medicine said the laptop was password-protected but the data were not encrypted.

Michigan Medicine has already notified patients about the breach. Even though there is believed to be a low risk of data misuse and the types of data exposed are insufficient to steal identities or commit insurance fraud, patients have still been advised to check their insurance statements for indications of suspicious activity.

This incident prompted Michigan Medicine to conduct additional HIPAA training to emphasize its policies on patient privacy as well as policies involving the use of personal, unencrypted devices for work purposes.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: