4,000 patients impacted in Michigan data breach

The theft of electronic equipment from a vendor employee's car has prompted the University of Michigan Health System (UMHS) to alert approximately 4,000 patients that some of their demographics and health information may have been exposed.

The information should have been stored on an encrypted device but wasn't, system officials said in a release. That marked a violation of the system's agreement with Omnicell, a Mountain View, Calif.-based health IT services provider. The stolen equipment contained information from patients seen between Oct. 24 and Nov. 13 at two UMHS hospitals as well as information from patients at two other hospitals unnamed in the UMHS release. An Omnicell representative was unavailable for comment at deadline, and no additional information on the incident was available from Omnicell's website.

Data stored on the device included names, birth dates and medical record numbers. Information about admission dates and patients' gender, allergies, doctor's name, medication name and room number also may have been contained on the device. UMHS officials emphasized the data didn't include the patients' addresses, phone numbers, Social Security numbers or bank and credit card account numbers.

The device, which has not been recovered, was stolen Nov. 14 from an Omnicell employee's car. UMHS was notified six days later, according to the release. Omnicell is revising its practices in response, the release stated. UMHS said it believes the likelihood of fraud is low, as a data key would be needed to understand the stored information.