Office of the Vice President for Global Communications

Friday, January 27, 2012

University committed to correcting gaps in procedures

An internal review of how a report of a possible medical campus crime was handled has revealed gaps in university procedures that campus leaders are committed to correcting.

Preliminary findings from the review by University Audits indicate that a possible crime was first reported in May 2011 but not fully investigated until November 2011. The case was dismissed in May because of a lack of evidence.

When it was brought forward again in November, the case was fully investigated and evidence showed wrongdoing on the part of a U-M medical resident. The resident has since been charged with possession of child pornography and no longer is working in the Health System. There never was any indication of illegal of inappropriate behavior with patients.

Upon learning of this delay, President Mary Sue Coleman immediately asked for an internal review to determine how this occurred.

"The delay in reporting revealed gaps in our procedures and misunderstandings among employees that we are determined to correct," said university spokesperson Rick Fitzgerald.

"Managers are cooperating across several different offices in the university to better define reporting responsibilities for suspected criminal activity and to improve training and communication related to crime reporting and investigation."

The internal review still is being finalized, but some of the preliminary recommendations touch on areas such as communications, common procedures, joint training and clarified roles.

There were several factors that caused the case to be stalled after the first attempt at investigation:

• Primary evidence that had been seen on a thumb drive attached to a hospital computer disappeared between the time it was first seen and the next morning when Hospital Security went to retrieve it.

• There was not a clear line of responsibility for investigating the case. The Office of the General Counsel for the Health System ultimately took ownership of the case and determined there was not enough evidence to continue the investigation.

• Hospital Security did not log the case in the system shared with the Department of Public Safety. If that had been done, DPS would have seen that there was a possible crime to investigate.

• MCIT (Medical Center Information Technology) reviewed the computer internal logs where the thumb drive had been seen and was able to determine who had accessed the computer. However, MCIT does not have the technology or training to do forensic investigation of electronic devices and, therefore, was not able to retrieve other relevant information such as thumb drive access.

• There was confusion about the roles of Hospital Security and DPS. Hospital employees that reported the incident thought they were talking to police when they were talking with Hospital Security.

DPS and Hospital Security have strong policies and procedures for their individual departments, but weak communication protocols between the two departments. To correct that the university is exploring a number of things:

• Developing a common set of guidelines for reporting security incidents throughout the university.

• Consistent logging of all potential criminal activity in a reporting system that is shared by Hospital Security and DPS.

• Development of joint training exercises.

• Referring all computer forensic needs to DPS.