Stolen laptop compromises privacy of NIH study subjects

The computer had been left in a researcher's car and contained unencrypted data on more than 3,000 research participants.

By Dave Hansen — Posted April 21, 2008

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

The theft of a laptop from a National Institutes of Health researcher is an example of why physicians and other health care professionals must remain vigilant about the security of patient data, said a privacy expert.

The computer was stolen on Feb. 23 from the trunk of a car belonging to the researcher, who is employed by the National Heart, Lung and Blood Institute, a part of the National Institutes of Health. The laptop contains information on 3,078 participants in a cardiac study conducted between 2001 and 2007, said NHLBI Director Elizabeth G. Nabel, MD. The information should have been encrypted but was not, she said.

An earlier attempt at encryption corrupted much of the data, explained NHLBI spokeswoman Susan Dambrauskas. A laboratory official had requested another encryption process prior to the theft, she said, but this had not yet been done.

NHLBI informed the study participants in late March about the theft, said Dambrauskas. The NHLBI "deeply regrets" the incident, Dr. Nabel stated.

The breach of security is "quite serious" and serves as a cautionary tale for physicians and other health care professionals, said Deven McGraw, MPH, director of the Health Privacy Project at the Center for Democracy and Technology, a nonprofit organization formed to advance free expression and privacy in technologically advanced communication media.

"Always taking the utmost care in protecting privacy and confidentiality measures is not a bad idea," she said. While it is impossible to create a security system impervious to human error, organizations must have strong security policies in place and enforce them, added McGraw.

Dambrauskas said that the Health Insurance Portability and Accountability Act's medical records security provisions do not apply in this case. The data, instead, are covered by the Federal Privacy Act, which regulates the use of personal information collected by the federal government, she said.

Violations of the Privacy Act are considered a misdemeanor and can result in fines of up to $5,000. Dambrauskas did not disclose if any disciplinary action had been taken in the incident. The researcher took the computer from his office for after-hours work, which is not a violation of NIH policy, said Dambrauskas.

NHLBI's Institutional Review Board, an independent committee that reviews the conduct of the institute's research, met on March 4 and determined that study participants should be notified about the theft, Dr. Nabel said. NHLBI approved a notification letter on March 20. She did not give a reason for the delay between the theft and notification.

Information in the laptop included each participant's name, birth date, hospital medical record number and MRI data, Dr. Nabel said. It did not contain Social Security numbers, addresses, telephone numbers or any of the participants' financial information, she said.

The computer probably was not stolen for its information, concluded security specialists at NHLBI's Center for Information Technology. The incident poses little chance of identity theft or adverse financial implications, they said.

The laptop was password-protected and turned off. Retrieving the data would require considerable computer sophistication, Dr. Nabel said. It had not been recovered as of press time in early April.

The NHLBI will inspect every staff computer to ensure encryption software is installed and will require every staff member to take computer security training on a regular basis, Dr. Nabel said.

Congress seeks answers

Prominent House Democrats announced they will investigate the incident, particularly why it took several weeks to notify study participants that the data were stolen.

"The stunning failure to act by both NIH and the Dept. of Health and Human Services raises troubling questions," said Rep. John D. Dingell (D, Mich.), who chairs the House Energy and Commerce Committee. "We will be seeking information to determine what safeguards are in place, where the system broke down and how to best fix it." The committee will question the NHLBI on what policies it will change to protect patients, added Dingell.

One of the study participants happened to be Rep. Joe Barton (R, Texas), co-chair and a founding member of the Congressional Privacy Caucus, whose mission is to advocate for legislation protecting personal privacy. Barton wrote HHS Inspector General Daniel R. Levinson and asked him to review why the data weren't encrypted and why there was a delay in notifying participants. He also asked Levinson to investigate how private health data entrusted to the NIH could be inadvertently compromised and whether there have been similar incidents at the institutes.

Back to top


Major breaches in data security

The theft of a laptop computer from a National Heart, Lung and Blood Institute researcher may have compromised data on more than 3,000 individuals, but that number is small compared with some incidents in recent years.

Number affected Company
2005 40 million CardSystems Solutions Inc. (Processor of credit card/other payments)
2006 26.5 million Dept. of Veterans Affairs
2007 45.7 million TJX Companies Inc. (Discount retailer)

Source: Data Loss Archive and Database (link).

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn