On November 14th, a UMHS (University of Michigan Health Systems) laptop with information on over 4,000 patients, was stolen. At the time of the theft, it was in the care of an Omnicell (hospital vendor) employee. An investigation found that the data was unsecured at the time.
This could be a direct violation of HIPAA ( Health Insurance Portability and Accountability Act of 1996 ), which requires sensitive data to by encrypted, especially when it’s taken offsite. The vendor notified UMHS of the security breach six days after the incident, but UMHS nor Omnicell have issued any statements on their websites. However, HIPAA’s breach notification rule states that they have “60 days following the discovery of a breach” to notify individuals and the media regarding any incident affecting more than “500 residents of a state or jurisdiction.”
Omnicell, a developer of medication management software, admits it violated both its own and UMHS hospitals’ data storage policies. The Detroit Free Press reported that the laptop only contained patients’ demographics, medication regimes and admissions records. However, The Michigan Daily reported that a larger portion of personal information was available. They report it actually contained “names, birth dates, UMHS patient numbers and medical record numbers for patients seen between October 24 and November 13, 2012.”