The University of Michigan Health System has been notifying around 4,000 patients last week that demographic, medication and health information has been stolen.
The Detroit Free Press explained in an article that the information was stolen out of the employee vehicle of a vendor, Omnicell on November 14th. The information taken did not include addresses, phone numbers, Social Security numbers, or any type of banking info.
With the U.S. Department of Health and Human Services saying that nearly 20 million patient records have been leaked in the last two years, healthcare security is a huge concern for 2013. Business Associates (BAs) especially, who were involved in 58% of data breaches within this time, should be taking a hard look inward at the measures they take to keep compliant. It is the responsibility of the Covered Entity (CE) to do their due diligence and confirm the HIPAA compliance of their vendors, who should be trained in HIPAA compliance standards as well. Also, signing a BAA (Business Associate Agreement) helps outline specifically the physical, technical and administrative responsibilities taken on by either the CE or BA.
Just having the procedures in place is not enough, however. Employees need to follow the policies and procedures in order for them to be effective. This includes continual staff training, which can sometimes fall by the wayside within a company’s security and data protection implementations. In the case of Omnicell, they explained to the University of Michigan Health System (UMHM) that the data stolen was on an unsecured device, and admitted that this was not in line with the policies put forth by either UMHM or Omnicell themselves. They are continuing the investigation into the stolen data and equipment.
The patients affected should have already received notification, and are able to call 855-855-4331 in the event that they have any questions.