DATA ON THE LOOSE: Despite repeated warnings of the dangers of storing unencrypted data on laptops, the National Heart, Lung, and Blood Institute (NHLBI) last month had a laptop containing unencrypted information for about 2,500 participants in a cardiac MRI study stolen from the trunk of a researcher's car. Image: Courtesy of iStockphoto, Copyright: Angel Herrero de Frutos
The federal government has repeatedly pledged to encrypt sensitive information, not to mention stop the practice of storing it on employee laptops, in the wake of several serious security breaches. But apparently it has yet to make good on its promises. The U.S. National Institutes of Health (NIH) confirmed Monday that a laptop containing unsecured information about 2,500 participants enrolled in a cardiac study by its National Heart, Lung, and Blood Institute (NHLBI) was stolen from the trunk of a researcher's car.
NHLBI director Elizabeth Nabel said in a statement that the theft did not occur on the NIH's Bethesda, Md., campus, but she did not provide any other details about the alleged crime. She said the purloined computer was issued to an employee (as opposed to a government contractor); it reportedly contained the names, birth dates and hospital medical record numbers of each participant as well as information gleaned about them from cardiac MRIs taken during the study conducted from 2001 to 2007.
The NHLBI Institutional Review Board (IRB)—an independent committee that oversees the conduct of research to protect the rights and welfare of study participants—decided on March 4 that study participants should be informed of the breach, but the panel did not approve a letter to be sent to them until March 20. (They were sent via overnight delivery the following day.) The NHLBI said it "immediately" reported the theft to Montgomery County, Md., police. The NHLBI did not respond to phone or e-mail requests for comment, but The Washington Post reported that the laptop was stolen February 23. Federal organizations supported by the U.S. Department of Health and Human Services (which administers the NIH) that conduct research on humans are required to have an IRB consisting of at least five members with varied backgrounds (both in science and other disciplines) review their work.
NHLBI conducts research designed to get to the bottom of heart, blood vessel, lung and blood diseases as well as sleep disorders. It is only one of several government agencies that have had sensitive—and unencrypted—information stolen over the past two years; others include the U.S. Department of Veterans Affairs (VA) (which in May 2006 had a laptop containing the personal information of 26.5 million veterans and their spouses stolen from an employee's apartment); the U.S. Department of Transportation (victim of a July 2006 theft from a special agent's car in Doral, Fla., of a laptop containing Social Security numbers and other personal information on some 133,000 Florida residents); and the Internal Revenue Service, which in June 2006 lost a laptop containing information on 291 employees and job applicants, including fingerprints, names, Social Security numbers and birth dates.
The private sector has not fared much better. During the same period, several major corporations including Fidelity Investments and General Electric reported similar security breaches that put as many as 250,000 people at risk for identity theft and financial fraud.
NHLBI clearly did not follow recommendations made by the U.S. National Institute of Standards and Technology (NIST) in June 2006 that government departments and agencies encrypt all data on mobile computers and devices unless the information was deemed "nonsensitive" in writing by the department or agency head. Compliance was voluntary, but the White House Office of Management and Budget the following month issued a memorandum requiring agencies to report all thefts or loss of personally identifiable information to the U.S. Computer Emergency Readiness Team (U.S.–CERT) within an hour of discovering such an incident. U.S–CERT was established in 2003 to protect the nation's Internet infrastructure, coordinating defense against and responses to cyber attacks.
In the VA burglary, after the government learned of the crime more than three weeks had elapsed before it notified the public. The VA was informed on May 3 but did not tell affected veterans until the end of the month. Nor did the VA act quickly enough to enforce encryption policies. A few months later, another VA laptop was stolen from the Reston, Va., offices of government contractor Unisys Corporation. That computer contained thousands of unsecured records of VA patients that had been treated in Philadelphia and Pittsburgh medical facilities.
Nabel says the stolen NHLBI laptop was turned off and password protected, likely limiting the potential fallout. But she acknowledged that such information should not have been stored in unencrypted form on a laptop. "When volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically," she said in the statement. "We at the NHLBI take that trust very seriously and we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."
Nabel also said the NIH's Center for Information Technology (CIT) staff determined that it is unlikely that study participants' information was specifically targeted for theft. CIT agreed that the incident poses a "low likelihood of identity theft or financial implications."
With a healthy demand on the Internet for stolen personal information that can be bought and sold to commit fraud, only time will tell if the government's assessment is accurate, or simply wishful thinking.