- Following a Dec. 21 announcement that Omnicell, University of Michigan Health System’s (UMHS) supply management system vendor, had lost unencrypted patient information due to stolen electronic equipment, more details about the other hospitals involved in the health data breach have surfaced.
In addition to the 4,000 UMHS patients notified, Sentara Healthcare and South Jersey Healthcare notified patients recently that their information was included in this breach because their information was on the stolen device as well.
Yesterday, wvec.com reported that 56,000 Sentara Healthcare patients treated between Oct. 18 and Nov. 9 at seven Sentara hospitals and three outpatient care centers in Hampton Roads, Virginia had data compromised as a result of the breach. Those facilities were Sentara CarePlex, Sentara Leigh Hospital, Sentara Norfolk General Hospital, Sentara Obici Hospital, Sentara Princess Anne Hospital, Sentara Virginia Beach General Hospital, Sentara Williamsburg Regional Medical Center, Sentara BelleHarbour, Sentara Independence, and Sentara Port Warwick. The Sentara website offered this information in a release about the breach:
On November 15, 2012, Omnicell learned that an Omnicell device containing some Sentara Healthcare patient information was stolen on the night of November 14th from an Omnicell employee’s locked car. A police report was filed, but the device has not been recovered. Omnicell advised Sentara Healthcare of the incident on November 20, 2012.
Omnicell’s investigation concluded that the device may have contained clinical and demographic information about Sentara patients, including patient name, birth date, patient number and medical record number. Additionally, one or more of the following clinical information may have been involved:
Gender; allergies; admission date and/or discharge date; physician name; patient type (i.e., inpatient, emergency department or outpatient); site and area of the hospital (e.g., specific inpatient or outpatient unit/area); room number; medication name; and medication dose amount and rate, route (e.g., oral, infusion, etc.), frequency, administration instructions, and start time and/or stop time.
Patient medical records were not on the device, and patient medical information has not been lost. Also, no financial, bank account information, Social Security number, or insurance information pertaining to any Sentara patient was on the device.
Last night, thedailyjournal.com detailed South Jersey Healthcare’s announcement that 8,500 patients were affected by the breach. The Daily Journal reported that the device was a laptop and it hasn’t been recovered yet, but that hasn’t been confirmed elsewhere. Most of these patients had been treated from June 1, 2012 and Nov. 12, 2012.
Omnicell has notified all South Jersey Healthcare patients involved and according to the site, the device did not contain patient medical records, financial, bank account or insurance information pertaining to any South Jersey Healthcare patient. However, there were non-identifiable Social Security numbers on the device. Additionally, there was information such as gender, allergies, admission date, discharge date, physician name, patient type (inpatient, emergency department or outpatient), site and area of the hospital or room number.
As much flak as healthcare providers have received for heath data breaches over the past year, how vendors are received after losing sensitive patient data will be an interesting storyline for 2013. Companies such as Omnicell should be considered Business Associates under HIPAA regulations and begs the question of whether the Office for Civil Rights (OCR) will begin to focus on vendors to tighten up security measures.