By Rick Weiss and Ellen Nakashima
Washington Post Staff Writers
Thursday, April 10, 2008
Social Security numbers for more than 1,200 participants in a National Institutes of Health study were stored on a stolen laptop containing their medical records, putting those patients at risk of identity theft, agency officials said yesterday.
NIH officials had initially assured the more than 3,000 patients whose records were on the laptop that the computer's contents -- unencrypted, in violation of federal policy -- did not contain any information that could put their identity or finances at risk.
But an ongoing review of the computer's last-known contents, performed on data backed up from the laptop before it was stolen, has found a file that, unbeknownst to the lead researcher, had been loaded onto the laptop by a research associate.
That file included Social Security numbers for at least 1,281 of the 3,078 patients enrolled in the multi-year study, which is sponsored by the NIH's National Heart, Lung and Blood Institute (NHLBI).
NIH spokesman John Burklow said yesterday that letters are being sent to all those affected, informing them of the risk and offering them free registration for a service that will allow them to monitor their credit reports. The NIH is also insuring each participant for up to $20,000 in losses from identity theft.
The cost to taxpayers for those services is estimated to be $18,400.
"This is a hard lesson for NIH," Burklow said. "The question is, what have we learned, and what are we doing to prevent information security breaches in the future?"
For starters, Burklow said, NIH Director Elias A. Zerhouni yesterday sent an electronic memo to employees of the $28 billion agency, reminding them of the importance of following rules governing computer encryption and patient privacy.
In the memo, marked "Urgent" and bearing the subject line "IMPORTANT MESSAGE FROM DIRECTOR, NIH," Zerhouni called the privacy breach "a serious violation of our commitment to protect the confidentiality of our patients" and told employees "we must do a far better job of protecting data" on laptops and portable storage devices.
The memo insisted that NIH employees immediately encrypt their laptops, memory devices and, in some cases, e-mail accounts, and warned that random audits would begin immediately.
At the same time, the memo acknowledged a little-talked-about fact: There is as yet no government-approved encryption software for use on Macintosh laptops, a popular brand among scientists. For now, the memo concludes, that means Macs must not be used to store sensitive data and Mac users must delete incoming e-mails containing sensitive information immediately after remotely archiving that information at a secure site.
With several more paragraphs devoted to instructions for ensuring proper data protection on flash drives, BlackBerrys and other electronic devices, the memo offers compelling evidence of what an enormously daunting task NIH and other agencies face: More and more information and analysis are collected and conducted on portable devices that are easily misplaced or stolen.
It is a task, however, that legislators yesterday said must be accomplished, lest public trust be lost.
"In the wrong hands, Social Security numbers let people unlock our lives and steal both our money and our reputations . . . and the government largely has failed to do much about it," said Rep. Joe Barton (R-Tex.), who last week revealed that he was in the NIH study and that his medical records were among those on the stolen laptop. "Indeed, now the government itself is losing Social Security numbers."
Several members of Congress have initiated investigations into the matter, as has NIH and the inspector general of the Department of Health and Human Services.
Burklow said technicians are still sifting through the backup computer contents to see if other surprises are there.
The file containing the Social Security numbers was overlooked on initial examination of the laptop's 36,000 files, he said, because it had a seemingly meaningless title.
Investigators have now determined that it was loaded onto the laptop by a clinical research fellow as part of an effort to cross-match the names of study participants with the National Death Index maintained by the National Center for Health Statistics, which collects death records from state vital statistics offices.