Ann Arbor, Mich. – Michigan Medicine mailed letters to 871 patients about a stolen laptop computer that may have exposed some of their health information. The theft occurred on June 3rd when the employee’s car was broken into and his bag, which contained the laptop, was stolen. The theft was immediately reported to the local police, and Michigan Medicine was notified on June 4.
The information on the laptop did not include addresses, phone numbers, social security numbers, credit card, debit card, or bank account numbers, but did include some limited health information that was collected for various research studies. Depending on the particular research study, the data stored on the laptop varied, but may have included patient names, birthdates, medical record number, gender, race, diagnosis, and other treatment-related information. Information about the studies involved is available below under Research Studies Involved in the Incident.
Please note: Notices were mailed to the affected patients or their personal representatives. If you are concerned that your or a family member’s information may have been involved in one of these research studies (see below) but do not receive a letter by July 25, 2018, you may call toll-free 855-336-5900, Monday through Friday, from 8 a.m. to 5 p.m.
The research studies involved were submitted to the Institutional Review Board (IRB) at Michigan Medicine. The IRB reviews and approves proposed research studies involving human subjects to assure compliance with rigorous federal research regulatory requirements, including patient confidentiality and other human subject protections. However, in violation of the IRB approvals and Michigan Medicine policies, the research data was downloaded and stored on an unsecure personal laptop. The laptop was password-protected, but it was not encrypted.
Michigan Medicine policy requires that patient information be stored on an encrypted device – encryption is the strongest and most secure method of protecting data.
Upon notification of the theft, Michigan Medicine immediately conducted an investigation. It was determined that this incident occurred because standard policies and procedures for safeguarding the information were not followed. This constitutes a violation of the Michigan Medicine Code of Conduct and patient privacy policies, which all Michigan Medicine employees are regularly trained on and required to follow.
There is no indication that the device was taken for the information it contained or that the information has been accessed or used improperly. However, as a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions using their information. Michigan Medicine believes the risk of this occurring is low because the data on the electronic device does not include any health plan information or other identifying information that could lead to medical identity theft or financial identity theft.
Michigan Medicine continues to educate its entire workforce on the importance of following its patient privacy policies. In response to this incident, procedures are under review to ensure compliance with our encryption policies, and educational materials will be improved to further enhance key messages about the prohibited use of personal, unencrypted devices for storage of research data. Patient privacy is extremely important to Michigan Medicine, and this matter is taken very seriously.
Research Studies Involved in the Incident
Below is a list of the research studies that were involved in the incident along with a short description of each:
- The Role of Early Nephrectomy in Neonates with Autosomal Recessive Polycystic Kidney Disease: This study is to determine if early kidney removal improves the survival of neonatal patients with Autosomal Recessive Polycystic Kidney Disease until renal transplant can occur.
- Chylothorax and Solid Tumors of Childhood: This study is to identify the incidence of lymphatic/chyle leak among children who have undergone excision of solid tumors, their management, outcomes in terms of length of stay, additional complications, and need for further operative intervention. Chylothorax or chyle leak results from lymph formed in the digestive system called chyle accumulating in the pleural cavity due to either disruption or obstruction of the thoracic duct.
- Use of Vicryl Mesh and Tissue Sealant for Refractory Retroperitoneal Lymphatic Leak: This study is to report on the outcomes of children with refractory chylous ascites treated with retroperitoneal exploration and vicryl/fibrin sealant. Chylous ascites is fluid in the abdomen caused by accumulation of lymph in the peritoneal cavity, usually due to intra-abdominal cancer, liver cirrhosis, or abdominal surgery complications.
- Laparoscopic Common Bile Duct Exploration for Choledocholithiasis in Pediatric Patients:This study is to evaluate the outcomes of laparoscopic common bile duct exploration in pediatric patients with common bile duct obstruction from a gallstone.
- Evaluation of NEC Guideline: Quality Improvement/Assurance for the Diagnosis and Management of Suspected and Definitive Necrotizing Enterocolitis Using the Brandon NICU Guideline: This study is to look at the patients managed in the Neonatal ICU (NICU) with the diagnosis of necrotizing enterocolitis (NEC) before and after the development and implementation of a guideline for management.
- Multicenter Report of Liquid Ventilation Therapy While on ECLS: This study is to evaluate characteristics and outcomes of patients that received liquid ventilation while on Extra-Corporeal Life Support (ECLS).
- The Role of 4-hour Post-operative PTH Level in Predicting Hypocalcemia After Thyroidectomy in the Pediatric Patient: This study is to evaluate the effectiveness of the 4 hour postoperative parathyroid hormone (PTH) level in predicting the pediatric patients that will need calcium supplementation after thyroidectomy and compare it to the traditional method of monitoring for hypocalcemia.