TechWeb

Patient Records Exposed Through Government Laptop Theft

Mar 25, 2008 (11:03 AM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=206905656


Thousands of patient health records have been exposed after a government laptop was stolen.

The National Institutes of Health issued a statement Monday saying patients' information had been stored in a laptop that was stolen from an employee's car in January.

Elizabeth G. Nabel, M.D., Director of the National Heart, Lung, and Blood Institute (NHLBI) said that someone stole a laptop that a researcher had locked in the trunk of a car parked away from the NIH campus. The laptop theft appeared to be random, she said.

The computer contained research information from a six-year heart imaging study that involved about 2,500 patients and ended last year. The information includes patients' names, birth dates, hospital medical record numbers, measurements, and diagnoses, Nabel said.

"The laptop contained no additional medical information on participants beyond the MRI reports and no additional information such as social security numbers, addresses, phone numbers, or any financial information," she said in a statement "Although the laptop was turned off and password protected, so that retrieving the confidential information would require considerable computer sophistication, the NHLBI recognizes that such information should not have been stored in an unencrypted form on a laptop computer."

Police are investigating the theft. The NIH's information systems security experts said that, since it appears to be a random incident, "it is unlikely that participants' information was specifically targeted." They also believe the incident poses a low risk of identity theft or financial loss.

Nabel said the NIH is inspecting and encrypting all laptops to improve data security and prevent similar incidents from occurring. The Department of Health and Human Services and the Office of Management and Budget have policies mandating encryption. The NIH also plans to enforce computer security training requirements. Finally, the NIH has told employees and researchers never to keep patient names, identifiers, or medical records on laptops.

"When volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically," Nabel said. "We at the NHLBI take that trust very seriously and we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."