An Important Notice for Patients Regarding Omnicell Incident

ANN ARBOR, Mich. – The University of Michigan Health System has sent letters to approximately 4,000 patients to inform them of an incident that may have exposed some of their health information.   

Please note: This incident affected only certain patients treated at UMHS between Oct. 24 and Nov.13, 2012. If you are concerned that your information may have been exposed but do not receive a letter by January 14, 2013, please call toll-free (855) 855-4331, Monday through Friday, from 8 a.m. to 5 p.m., and Saturday, from 8 a.m. to 2 p.m.   
UMHS was notified on Nov. 20 by one of its vendors, Omnicell, that Omnicell electronic equipment containing some UMHS patient medication information – as well as patient information for two other hospitals – was stolen on Nov.14. The information did not include addresses, phone numbers, social security numbers, credit card, debit card, or bank account numbers, but did include some demographic and health information.

The electronic equipment was stolen out of an Omnicell employee’s car. A police report was filed, but the equipment has not been recovered. UMHS has determined that the potential patient information exposure occurred because Omnicell’s employee stored data on an unsecured electronic device, which is a violation of UMHS’ and Omnicell’s standard policies and procedures in place to protect private health information.

Our investigation shows that the files on the stolen electronic equipment contained the following information about some patients who were seen between Oct. 24 and Nov.13, 2012: patient name; birth date, UMHS patient number and medical record number. Additionally, one or more of the following clinical information may also have been involved: gender; allergies; admission date and/or discharge date; physician name; patient type (i.e., inpatient, emergency department or outpatient); site and area of the hospital; room number; medication name; and medication dose amount and rate, route, frequency, administration instructions, start time and/or stop time.

We have no reason to believe that the device was taken for the information it contained, or that the information has been accessed or used improperly. As noted, the limited data does not include patients’ financial information and is also not in an easily readable format, which would make it difficult to decipher. We believe the risk of any type of fraud occurring as a result of this incident is extremely low. However, as a precautionary measure, affected patients have been advised to monitor their medical insurance statements for any potential evidence of fraudulent transactions.

Patient privacy is extremely important to us, and we take this matter very seriously. We have taken immediate steps to investigate this matter. UMHS continues to assess its security measures, and educate its own workforce and all its vendors on the UMHS policies and procedures regarding confidentiality and security of patient information, including the need to store patient information on secure devices.

Omnicell’s equipment assists UMHS in dispensing patient medications for quality care purposes. Omnicell is continuing to investigate this incident and is working closely with authorities to locate the stolen equipment and secure all patient information.  Omnicell is also taking steps to improve its security program and practices in response to this incident.