Bankruptcy Court Breach Incident

04/02/2020 - As of April 2020, Michigan Medicine notified approximately 213 individuals about an incident that may have exposed some of their patient information.  This incident is limited to individuals who filed for bankruptcy between 2002 and January 2020 who were either Michigan Medicine patients themselves, or were the guarantor for one or more minors who were Michigan Medicine patients.  Information involved was originally filed by Michigan Medicine for different bankruptcy cases for which Michigan Medicine was a creditor. 

More specifically, on January 13, 2020, Michigan Medicine was alerted that claim documents filed by Michigan Medicine to the bankruptcy court contained patient information that was not required by the bankruptcy court.  The filed documents were available through the court’s public electronic record system called PACER.

Filings related to the earliest bankruptcy cases date back to 2002, and the most recent filings occurred in January 2020.  (The filing date varies based on Michigan Medicine’s receipt of bankruptcy notice from the court). The information was available through the court’s electronic system until it was restricted from viewing by the court in February 2020.

The protected health information involved may have included one or more of the following: 

  • Demographic information (e.g., address)
  • Date of birth
  • Medical record number
  • Visit number
  • Date(s) of service
  • Diagnosis code(s)
  • Procedure(s) and procedure code(s)
  • Billing provider name(s)
  • Name of insurance
  • Social Security number (applies to a small number of individuals)

As soon as Michigan Medicine learned about this issue, a team of legal experts was engaged. They met with the Bankruptcy Court Trustee to explain what happened and the next steps to correct the error.

Beginning January 21, 2020, Michigan Medicine began filing motions with the bankruptcy court to protect the information. Once the motions were approved and signed by the court, detailed payment information owed to Michigan Medicine was sealed by the court so that the information is no longer available or viewable in the court’s system. Michigan Medicine also filed amendments to the original filings that contain very limited information that the court needed as proof of the claim (i.e., the debtor’s name, total amount owed for services rendered, and a notation to contact the claimant for further information).

Also, Michigan Medicine immediately put controls in place to prevent future errors.  All future filings in bankruptcy court will be made by Michigan Medicine attorneys with only the limited information required by the court as proof of the claim. No protected health information will be included in those filings. 

Although information was inappropriately disclosed, we are not aware that information was further used or disclosed for other inappropriate purposes. Patient privacy is very important to us, and we take this matter very seriously. Notices were mailed to affected patients or their personal representative beginning January 30, 2020. In accordance with HIPAA, we are also notifying the Department of Health & Human Services, Office for Civil Rights.

While Michigan Medicine does not have reason to believe that information has been misused, as a precautionary measure, all affected patients have been advised to monitor insurance statements for any potential evidence of fraudulent transactions. Additionally, complementary credit monitoring services have been offered to patients whose Social Security number was involved. 

If you filed for bankruptcy between 2002 and January 2020 and think this incident may apply to you, but you did not receive a notice letter from Michigan Medicine, you can contact the Michigan Medicine Corporate Compliance Office via email at compliance-privacy@med.umich.edu or toll-free at 833-644-0419, 8:00 a.m. and 5:00 p.m., Monday through Friday. Provide your name and contact information, and a Corporate Compliance Privacy Specialist will follow up with you to determine if your information was involved.

We deeply regret any concern this incident may cause, and we are taking the proper steps to reduce the chance of this happening again.