Lawmakers Question NIH Handling of Data Loss
Tuesday, March 25, 2008
Lawmakers questioned yesterday why the National Institutes of Health waited almost a month to warn 2,500 patients enrolled in a federal medical study that some of their unencrypted medical information was in a stolen laptop computer.
The laptop was stolen Feb. 23 from the locked trunk of a researcher's car, but NIH did not send letters notifying the patients until March 20.
"The stunning failure to act . . . raises troubling questions," said Rep. John D. Dingell (D-Mich.).
The House Energy and Commerce Committee, which Dingell chairs, began an investigation yesterday into the delay and why the patients' records were not encrypted, in violation of federal policy.
"Electronic information travels in seconds and minutes, not days and weeks. The NIH should take as much care in protecting its patients' personally identifiable information as it does when handling blood samples," said Sen. Norm Coleman (R-Minn.).
Rep. Edward J. Markey (D-Mass.), who chairs the Congressional Privacy Caucus, sent a letter to Health and Human Services Secretary Mike Leavitt asking why the laptop was not encrypted, what steps the department would take to prevent future breaches and whether there had been similar episodes in the past three years.
And the chairman of the House subcommittee on oversight and investigations vowed to investigate. "The theft of a government laptop from an NIH employee and the subsequent mishandling of the situation raise serious questions about the agency's commitment to data security," said Rep. Bart Stupak (D-Mich.).
The government has required encryption of sensitive data stored on laptops since the 2006 theft of computer equipment that contained data on 26.5 million veterans. But a review by the Government Accountability Office last month, requested by Coleman, found few federal agencies had taken enough steps to protect personal information.
NIH said there is little risk of identity theft from the kind of information the laptop contained. The patients were enrolled in a cardiac study, and the password-protected records contain patient names, their diagnosis of heart disease, MRI heart scans and birth dates -- but not Social Security numbers, addresses or phone numbers.
NIH "recognizes that such information should not have been stored in an unencrypted form on a laptop computer," Elizabeth Nabel, of NIH's National Heart, Lung and Blood Institute, said in a statement.