The University of Michigan Health System has been notifying around 4,000 patients last week that demographic, medication and health information has been stolen.
The Detroit Free Press explained in an article that the information was stolen out of the employee vehicle of a vendor, Omnicell on November 14th. The information taken did not include addresses, phone numbers, Social Security numbers, or any type of banking info.
With the U.S. Department of Health and Human Services saying that nearly 20 million patient records have been leaked in the last two years, healthcare security is a huge concern for 2013. Business Associates (BAs) especially, who were involved in 58% of data breaches within this time, should be taking a hard look inward at the measures they take to keep compliant. It is the responsibility of the Covered Entity (CE) to do their due diligence and confirm the HIPAA compliance of their vendors, who should be trained in HIPAA compliance standards as well. Also, signing a BAA (Business Associate Agreement) helps outline specifically the physical, technical and administrative responsibilities taken on by either the CE or BA.
Just having the procedures in place is not enough, however. Employees need to follow the policies and procedures in order for them to be effective. This includes continual staff training, which can sometimes fall by the wayside within a company’s security and data protection implementations. In the case of Omnicell, they explained to the University of Michigan Health System (UMHM) that the data stolen was on an unsecured device, and admitted that this was not in line with the policies put forth by either UMHM or Omnicell themselves. They are continuing the investigation into the stolen data and equipment.
The patients affected should have already received notification, and are able to call 855-855-4331 in the event that they have any questions.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.