The unencrypted medical information of nearly 2,500
participants in a cardiac study conducted by the National Heart, Lung and Blood
Institute (NHLBI) were stolen February 23 from the locked trunk of Dr. Andrew
E. Arai’s car.
Given the circumstances, the patients involved in the study
should have been informed about the situation immediately, but the NHLBI did
not send letters notifying the patients until March 20.
“The stunning failure to act….raises troubling questions,”
said Rep John D. Dingell (d-Mich.) quoted by the Associated Press.
The House Energy and Commerce Committee, which Dingell
chairs, stated an investigation yesterday into the delay and why patients’
records were not encrypted in violation of federal policy.
"Electronic information travels in seconds and minutes, not days and
weeks. The NIH should take as much care in protecting its patients' personally
identifiable information as it does when handling blood samples," said
Sen. Norm Coleman, R-Minn.
The patients were enrolled in a cardiac study, and the
password-protected records contain patient names, their diagnosis of heart
disease, MRI heart scans and birth dates, but not Social Security numbers,
addresses or phone numbers.
The National Institutes of Health “recognizes that such
information should not have been stored in an unencrypted form on a laptop
computer. We deeply regret that this incident may cause those who have
participated in one of our studies to feel that we have violated that trust,”
Dr. Elizabeth Nabel, head of NIH’s NHLBI said in a statement according to the
AP. She also added that the theft appeared to have been random.
Nabel’s statement did not mention the date of the theft, but
it noted that an internal review board at the NHLBI decided March 4 that the
participants in the study should be notified of the incident. Therefore, a
notification letter was approved last Thursday and then sent via overnight
delivery to each of the affected individuals for whom the institute had a
current address.
Following the incident, the NHLBI said on Friday it would
install encryption software on its laptop and conduct regular security training
for its employees.
“We are going to be looking at our policy going forward,”
Susan Shurin, deputy director of the NHLBI told CNN Monday. She also added she
expects the encryption process to be completed by April 4.
This unfortunate incident comes after the well-publicized
theft of a Veterans Affairs laptop computer in May 2006, which contained
personal data for 26.5 million veterans and military personnel. The laptop was
stolen when an employee took it to his home in violation of agency rules. At the
time, the government required encryption of sensitive data stored on laptops,
but a review by the Government Accountability Office last month, requested by
Coleman, found few federal agencies had taken enough steps to protect personal
information.
