Another Laptop Goes Astray
Another security breach involving sensitive information has occurred. This time, a laptop computer containing the unsecured data of about 2500 participants in a cardiac study of the National Heart, Lung and Blood Tissue Institute (NHLBI), part of the National Institutes of Health (NIH) was stolen from the trunk of a car owned by an employee of the NHLBI.
While the integrity of personal patient information is of critical importance, the fact remains that NIH and NHLBI still fail to follow the June 2006 recommendations of the National Institute of Standards and Technology (NIST) of ensuring that laptops and mobile data bases be encrypted.
Important questions are raised by this incident.
1) Why is sensitive patient information being stored on a laptop that an employee is able to take home?
2) If the theft of the laptop occurred on February 23rd, why was it not until March 4th that the National Heart, Lung, and Blood Institute (NHLBI) determined that study participants should be notified about the breach.
3) Why did it take another two weeks, until March 20th, that the letter informing the patients of the breach go out to them in overnight mail?
NHLBI director Elizabeth Nabel said in a statement that the theft did not occur on the NIH's Bethesda, Md., campus, but she did not provide any other details about the alleged crime. She said the purloined computer was issued to an employee (as opposed to a government contractor); it reportedly contained the names, birth dates and hospital medical record numbers of each participant as well as information gleaned about them from cardiac MRIs taken during the study conducted from 2001 to 2007.
Considering the cyber-demand for sensitive information, it would seem that the protection of patients’ rights takes priority over a government employee’s convenience in transporting a laptop in the trunk of a car. Further, if this level of poor security exists with patient data, what other lapses of a National Security nature are possible?