Stolen laptop compromises privacy of NIH study subjects

Washington -- The theft of a laptop from a National Institutes of Health researcher is an example of why physicians and other health care professionals must remain vigilant about the security of patient data, said a privacy expert.

The computer was stolen on Feb. 23 from the trunk of a car belonging to the researcher, who is employed by the National Heart, Lung and Blood Institute, a part of the National Institutes of Health. The laptop contains information on 3,078 participants in a cardiac study conducted between 2001 and 2007, said NHLBI Director Elizabeth G. Nabel, MD. The information should have been encrypted but was not, she said.

An earlier attempt at encryption corrupted much of the data, explained NHLBI spokeswoman Susan Dambrauskas. A laboratory official had requested another encryption process prior to the theft, she said, but this had not yet been done.

NHLBI informed the study participants in late March about the theft, said Dambrauskas. The NHLBI "deeply regrets" the incident, Dr. Nabel stated.

The breach of security is "quite serious" and serves as a cautionary tale for physicians and other health care professionals, said Deven McGraw, MPH, director of the Health Privacy Project at the Center for Democracy and Technology, a nonprofit organization formed to advance free expression and privacy in technologically advanced communication media.

"Always taking the utmost care in protecting privacy and confidentiality measures is not a bad idea," she said. While it is impossible to create a security system impervious to human error, organizations must have strong security policies in place and enforce them, added McGraw.

Dambrauskas said that the Health Insurance Portability and Accountability Act's medical records security provisions do not apply in this case. The data, instead, are covered by the Federal Privacy Act, which regulates the use of personal information collected by the federal government, she said.

Violations of the Privacy Act are considered a misdemeanor and can result in fines of up to $5,000. Dambrauskas did not disclose if any disciplinary action had been taken in the incident. The researcher took the computer from his office for after-hours work, which is not a violation of NIH policy, said Dambrauskas.

NHLBI's Institutional Review Board, an independent committee that reviews the conduct of the institute's research, met on March 4 and determined that study participants should be notified about the theft, Dr. Nabel said. NHLBI approved a notification letter on March 20. She did not give a reason for the delay between the theft and notification.

Information in the laptop included each participant's name, birth date, hospital medical record number and MRI data, Dr. Nabel said. It did not contain Social Security numbers, addresses, telephone numbers or any of the participants' financial information, she said.

The computer probably was not stolen for its information, concluded security specialists at NHLBI's Center for Information Technology. The incident poses little chance of identity theft or adverse financial implications, they said.

The laptop was password-protected and turned off. Retrieving the data would require considerable computer sophistication, Dr. Nabel said. It had not been recovered as of press time in early April.

The NHLBI will inspect every staff computer to ensure encryption software is installed and will require every staff member to take computer security training on a regular basis, Dr. Nabel said.

Congress seeks answers

Prominent House Democrats announced they will investigate the incident, particularly why it took several weeks to notify study participants that the data were stolen.

"The stunning failure to act by both NIH and the Dept. of Health and Human Services raises troubling questions," said Rep. John D. Dingell (D, Mich.), who chairs the House Energy and Commerce Committee. "We will be seeking information to determine what safeguards are in place, where the system broke down and how to best fix it." The committee will question the NHLBI on what policies it will change to protect patients, added Dingell.

One of the study participants happened to be Rep. Joe Barton (R, Texas), co-chair and a founding member of the Congressional Privacy Caucus, whose mission is to advocate for legislation protecting personal privacy. Barton wrote HHS Inspector General Daniel R. Levinson and asked him to review why the data weren't encrypted and why there was a delay in notifying participants. He also asked Levinson to investigate how private health data entrusted to the NIH could be inadvertently compromised and whether there have been similar incidents at the institutes.