Approximately 4,000 patients at the University of Michigan Health System (UMHS) have been notified this December that their personal health information has been compromised, UMHS officials announced.

UMHS was notified Nov. 20 by Mountain View, Calif.-based medication management vendor Omnicell that an unsecured electronic device containing patient health information was stolen from an Omnicell employee's car on Nov. 14, according to a UMHS press release. Notification letters were sent out to 3,997 patients Dec. 18.

[See also: Q&A: OCR Director Leon Rodriguez talks audits and enforcements to come.]

The unencrypted device contained patient names, dates of birth, medical record numbers and may have included gender; allergies; admission date and/or discharge date; physician name; patient type; hospital site; room number; medication name; and medication dose amount and rate, route, frequency, administration instructions, start time and/or stop time from patients across three UMHS hospitals.

“Patient privacy is extremely important to us, and we take this matter very seriously,” said UMHS Chief Compliance Officer Jeanne Strickland. “UMHS has taken immediate steps to investigate this matter.”

Since the August 2009 Breach Notification Rule requiring HIPAA-covered entities report breaches involving 500 or more patient records, some 21 million patient records have been compromised in healthcare data breaches, according to data from the Department of Health and Human Services.

But Lisa Gallagher, senior director of privacy and security for HIMSS, says what's even more concerning is that "data breaches involving 499 or fewer are not counted in the HHS final count." She estimates that in actuality somewhere between 40-45 million patient records may have been compromised nationwide.

[See also: Health IT guru reflects back on data breach and the right way to respond.]

Since 2009, 11 data breaches involving 118,596 patient records in Michigan have been investigated and closed by the Office of Civil Rights (OCR). Southfield, Mich.-based Providence Hospital was the largest HIPAA breach in the state to be investigated by the OCR. In February 2010, the hospital reported that an external hard drive containing personal health information of nearly 84,000 patient records had been lost or stolen.