By Ellen Nakashima and Rick Weiss
Washington Post Staff Writers
Monday, March 24, 2008
A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's data-security policy.
NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday -- almost a month later. They said they hesitated because of concerns that they would provoke undue alarm.
The handling of the incident is reminiscent of a 2006 theft from the home of a Department of Veterans Affairs employee of a laptop with personal information about veterans and active-duty service members. In that case, VA officials waited 19 days before announcing the theft.
"The shocking part here is we now have personally identifiable information -- name and age -- linked to clinical data," said Leslie Harris, executive director of the Center for Democracy & Technology. "If somebody does not want to share the fact that they're in a clinical trial or the fact they've got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here."
The incident is the latest in a number of failures by government employees to properly secure personal information. This month, the Government Accountability Office found that at least 19 of 24 agencies reviewed had experienced at least one breach that could expose people's personal information to identity theft.
Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), said in a statement issued late Friday that "when volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically." She said that "we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."
NIH officials said the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief named Andrew Arai, who had taken his daughter to a swim meet in Montgomery County. They called it a random theft. Arai oversees the institute's research program on cardiac magnetic resonance imaging and signed the letters to those whose data was exposed.
In the letter, Arai told the patients that "some personally identifiable information" was on the stolen computer, including names, birth dates, hospital medical record numbers and MRI information reports, such as measurements and diagnoses. Social Security numbers, phone numbers, addresses and financial information were not on the laptop, officials said.
Arai's letter said that the NIH Center for Information Technology determined that the theft posed "a low likelihood of identity fraud" or financial harm. "It is, however, an unfortunate breach of our commitment to protect the confidentiality of your research records," he wrote.
An initial effort by information technology personnel failed to encrypt the laptop before it was stolen and Arai neglected to follow up, according to NHLBI spokeswoman Susan Dambrauskas.
According to a chronology provided by Dambrauskas, three offices that focus on information security within NIH and the Department of Health and Human Services were contacted within three days of the theft.
But officials did not report it to the NHLBI Institutional Review Board -- whose job is to protect the well-being of patients in research -- until Feb. 29, six days after the theft. That put the matter on the board's agenda for its next meeting, on March 4, according to the board's chairman, Alison Wichman.
"We didn't feel that subjects were at immediate risk," she said. "We felt that we had some time to be thorough in our evaluation. In the end, that may or may not have been appropriate."
NIH spokesman John T. Burklow said that during the meeting, the board had "long and intense" discussions about what to do, as "there were concerns about not causing patients undue alarm." The board nonetheless voted unanimously to ask Arai to draft a notification letter, Wichman said.
At its next meeting, on March 18, the board reviewed the letter. Two days later, it gave final approval.
After the theft of the VA laptop, which contained sensitive personal information about 26.5 million veterans and military service members, the Office of Management and Budget issued in 2006 guidelines recommending that portable electronic devices be routinely loaded with encryption software.
Last May, it decided to require such encryption unless a senior agency official certifies that the device does not contain sensitive information. It also required limiting remote access to sensitive data repositories to authorized users with two methods of authenticating their identity, and documenting whenever sensitive information is downloaded and by whom.
The OMB memo required that agencies report a suspected or confirmed breach of personally identifiable information to US-CERT, a Department of Homeland Security Computer Emergency Readiness Team, within one hour of discovery -- a deadline NIH says it met.
In the case of the VA data, the laptop and hard drive were recovered. The FBI confirmed that the data had not been compromised. Two burglars were caught and convicted.
Nabel, in her statement, said that since the NIH incident, "we are ensuring" that all the institute's laptop computers are encrypted and that staff members will be required to take regular computer security training. She also said "patient names, other identifying information, or identifiable medical information" will no longer be stored on laptop computers.