| Page 2 of 2 < |
Patients' Data on Stolen Laptop
|
TOOLBOX
   Resize
COMMENT
 Discussion Policy
 CLOSE
Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.
Who's Blogging  |
"We didn't feel that subjects were at immediate risk," she said. "We felt that we had some time to be thorough in our evaluation. In the end, that may or may not have been appropriate."
NIH spokesman John T. Burklow said that during the meeting, the board had "long and intense" discussions about what to do, as "there were concerns about not causing patients undue alarm." The board nonetheless voted unanimously to ask Arai to draft a notification letter, Wichman said.
At its next meeting, on March 18, the board reviewed the letter. Two days later, it gave final approval.
After the theft of the VA laptop, which contained sensitive personal information about 26.5 million veterans and military service members, the Office of Management and Budget issued in 2006 guidelines recommending that portable electronic devices be routinely loaded with encryption software.
Last May, it decided to require such encryption unless a senior agency official certifies that the device does not contain sensitive information. It also required limiting remote access to sensitive data repositories to authorized users with two methods of authenticating their identity, and documenting whenever sensitive information is downloaded and by whom.
The OMB memo required that agencies report a suspected or confirmed breach of personally identifiable information to US-CERT, a Department of Homeland Security Computer Emergency Readiness Team, within one hour of discovery -- a deadline NIH says it met.
In the case of the VA data, the laptop and hard drive were recovered. The FBI confirmed that the data had not been compromised. Two burglars were caught and convicted.
Nabel, in her statement, said that since the NIH incident, "we are ensuring" that all the institute's laptop computers are encrypted and that staff members will be required to take regular computer security training. She also said "patient names, other identifying information, or identifiable medical information" will no longer be stored on laptop computers.
