Laptop stolen from NHLBI contained personal health information
Technorati Tag: Security Breach
Date Reported:
3/24/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
Department of Health and Human Services
National Institutes of Health
National Heart, Lung, and Blood Institute ("NHLBI")
Victims:
"participants in a cardiac MRI study conducted between 2001 and 2007"
Number Affected:
~2,500
Types of Data:
"name, birth date, hospital medical record number, and data contained in MRI reports such as measurements and diagnoses"
Breach Description:
"The unencrypted medical information of about 2,500 participants in a cardiac study conducted by the National Heart, Lung and Blood Institute (NHLBI) may have been compromised by the theft of a laptop PC last month."
Reference URL:
NHLBI Press Release
ComputerWorld
The Washington Post
Report Credit:
NHLBI
Response:
From the online sources cited above:
A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans.
The information was not encrypted, in violation of the government's data-security policy.
[Evan] What good is a policy if it is not followed or enforced? There should be penalties for non-compliance.
"Although the laptop was turned off and password-protected, so that retrieving the confidential information would require considerable computer sophistication, the NHLBI recognizes that such information should not have been stored in an unencrypted form on a laptop computer,"
[Evan] This is comical. Really, "considerable computer sophistication"? Not!
NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday -- almost a month later.
They said they hesitated because of concerns that they would provoke undue alarm.
[Evan] On the one hand, I don't know if a month is too long for a notification. On the other hand, this is the wrong reason for delaying notification.
"If somebody does not want to share the fact that they're in a clinical trial or the fact they've got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here."
Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), said in a statement issued late Friday that "when volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically." She said that "we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."
NIH officials said the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief named Andrew Arai, who had taken his daughter to a swim meet in Montgomery County.
Arai oversees the institute's research program on cardiac magnetic resonance imaging and signed the letters to those whose data was exposed.
Arai told the patients that "some personally identifiable information" was on the stolen computer, including names, birth dates, hospital medical record numbers and MRI information reports, such as measurements and diagnoses. Social Security numbers, phone numbers, addresses and financial information were not on the laptop
the NIH Center for Information Technology determined that the theft posed "a low likelihood of identity fraud" or financial harm. "It is, however, an unfortunate breach of our commitment to protect the confidentiality of your research records,"
An initial effort by information technology personnel failed to encrypt the laptop before it was stolen and Arai neglected to follow up, according to NHLBI spokeswoman Susan Dambrauskas.
[Evan] IT personnel tried to encrypt the laptop, ran into problems, gave up, and let the laptop go back into production? This is unacceptable. The policy requires that laptops be encrypted, it doesn't state "unless you have problems with the installation of encryption software…" I don't know why people think that policy is negotiable.
three offices that focus on information security within NIH and the Department of Health and Human Services were contacted within three days of the theft.
officials did not report it to the NHLBI Institutional Review Board -- whose job is to protect the well-being of patients in research -- until Feb. 29, six days after the theft. That put the matter on the board's agenda for its next meeting, on March 4, according to the board's chairman, Alison Wichman.
[Evan] So did they really delay the notification because they didn't want to "provoke undue alarm", or was the notification delayed due to poor incident response? Waiting until the next regularly scheduled board meeting to decide what to do is wrong. An incident response team should have the authority to decide these matters and respond ASAP.
A notification letter was approved last Thursday and then sent via overnight delivery to each of the affected individuals for whom the institute had a current address.
[Evan] As an example, Express Mail Flat-Rate Envelope (overnight) service is $16.25. 2,500 mailings @ $16.25 each = $40,625.00. Of course, the government gets a MUCH better price, but somebody has to pay somewhere.
The NHLBI is conducting proper follow-up procedures with those responsible for this incident and has taken several steps to increase data security and protect the privacy of current and future study participants. First, we are ensuring that all NHLBI laptop computers are encrypted, as required by policies of the DHHS and the Office of Management and Budget. Laptop computers in the possession of NHLBI research staff are being inspected by NIH CIT information security personnel to ensure that appropriate encryption software is installed. All NHLBI staff have been required to take regular computer security training, and this requirement will continue to be strongly enforced in the future as it was in the past. We have also emphasized that NHLBI staff are never to keep patient names, other identifying information, or identifiable medical information on a laptop computer.
[Evan] Excellent, but this was ALREADY supposed to done! Now that something bad has happened, we have decided to follow our policy.
"The stunning failure to act ... raises troubling questions," said Rep. John Dingell, D-Mich.
"Electronic information travels in seconds and minutes, not days and weeks. The NIH should take as much care in protecting its patients' personally identifiable information as it does when handling blood samples," said Sen. Norm Coleman, R-Minn.
Commentary:
What can we say? Can the NHLBI claim that they didn't know the risks or the policy? Do they read the news? It's frustrating.
Past Breaches:
U.S. Government:
Too many to mention, latest March, 2008 - A breach that hits home with 2008 presidential candidates
Date Reported:3/24/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
Department of Health and Human Services
National Institutes of Health
National Heart, Lung, and Blood Institute ("NHLBI")
Victims:
"participants in a cardiac MRI study conducted between 2001 and 2007"
Number Affected:
~2,500
Types of Data:
"name, birth date, hospital medical record number, and data contained in MRI reports such as measurements and diagnoses"
Breach Description:
"The unencrypted medical information of about 2,500 participants in a cardiac study conducted by the National Heart, Lung and Blood Institute (NHLBI) may have been compromised by the theft of a laptop PC last month."
Reference URL:
NHLBI Press Release
ComputerWorld
The Washington Post
Report Credit:
NHLBI
Response:
From the online sources cited above:
A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans.
The information was not encrypted, in violation of the government's data-security policy.
[Evan] What good is a policy if it is not followed or enforced? There should be penalties for non-compliance.
"Although the laptop was turned off and password-protected, so that retrieving the confidential information would require considerable computer sophistication, the NHLBI recognizes that such information should not have been stored in an unencrypted form on a laptop computer,"
[Evan] This is comical. Really, "considerable computer sophistication"? Not!
NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday -- almost a month later.
They said they hesitated because of concerns that they would provoke undue alarm.
[Evan] On the one hand, I don't know if a month is too long for a notification. On the other hand, this is the wrong reason for delaying notification.
"If somebody does not want to share the fact that they're in a clinical trial or the fact they've got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here."
Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), said in a statement issued late Friday that "when volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically." She said that "we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."
NIH officials said the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief named Andrew Arai, who had taken his daughter to a swim meet in Montgomery County.
Arai oversees the institute's research program on cardiac magnetic resonance imaging and signed the letters to those whose data was exposed.
Arai told the patients that "some personally identifiable information" was on the stolen computer, including names, birth dates, hospital medical record numbers and MRI information reports, such as measurements and diagnoses. Social Security numbers, phone numbers, addresses and financial information were not on the laptop
the NIH Center for Information Technology determined that the theft posed "a low likelihood of identity fraud" or financial harm. "It is, however, an unfortunate breach of our commitment to protect the confidentiality of your research records,"
An initial effort by information technology personnel failed to encrypt the laptop before it was stolen and Arai neglected to follow up, according to NHLBI spokeswoman Susan Dambrauskas.
[Evan] IT personnel tried to encrypt the laptop, ran into problems, gave up, and let the laptop go back into production? This is unacceptable. The policy requires that laptops be encrypted, it doesn't state "unless you have problems with the installation of encryption software…" I don't know why people think that policy is negotiable.
three offices that focus on information security within NIH and the Department of Health and Human Services were contacted within three days of the theft.
officials did not report it to the NHLBI Institutional Review Board -- whose job is to protect the well-being of patients in research -- until Feb. 29, six days after the theft. That put the matter on the board's agenda for its next meeting, on March 4, according to the board's chairman, Alison Wichman.
[Evan] So did they really delay the notification because they didn't want to "provoke undue alarm", or was the notification delayed due to poor incident response? Waiting until the next regularly scheduled board meeting to decide what to do is wrong. An incident response team should have the authority to decide these matters and respond ASAP.
A notification letter was approved last Thursday and then sent via overnight delivery to each of the affected individuals for whom the institute had a current address.
[Evan] As an example, Express Mail Flat-Rate Envelope (overnight) service is $16.25. 2,500 mailings @ $16.25 each = $40,625.00. Of course, the government gets a MUCH better price, but somebody has to pay somewhere.
The NHLBI is conducting proper follow-up procedures with those responsible for this incident and has taken several steps to increase data security and protect the privacy of current and future study participants. First, we are ensuring that all NHLBI laptop computers are encrypted, as required by policies of the DHHS and the Office of Management and Budget. Laptop computers in the possession of NHLBI research staff are being inspected by NIH CIT information security personnel to ensure that appropriate encryption software is installed. All NHLBI staff have been required to take regular computer security training, and this requirement will continue to be strongly enforced in the future as it was in the past. We have also emphasized that NHLBI staff are never to keep patient names, other identifying information, or identifiable medical information on a laptop computer.
[Evan] Excellent, but this was ALREADY supposed to done! Now that something bad has happened, we have decided to follow our policy.
"The stunning failure to act ... raises troubling questions," said Rep. John Dingell, D-Mich.
"Electronic information travels in seconds and minutes, not days and weeks. The NIH should take as much care in protecting its patients' personally identifiable information as it does when handling blood samples," said Sen. Norm Coleman, R-Minn.
Commentary:
What can we say? Can the NHLBI claim that they didn't know the risks or the policy? Do they read the news? It's frustrating.
Past Breaches:
U.S. Government:
Too many to mention, latest March, 2008 - A breach that hits home with 2008 presidential candidates
Posted by Evan Francen at 3/24/2008 10:04 PM 
Categories: U.S. Government, Department of Health and Human Services, National Institutes of Health, Stolen Laptop, National Heart Lung and Blood Institute
Categories: U.S. Government, Department of Health and Human Services, National Institutes of Health, Stolen Laptop, National Heart Lung and Blood Institute
Posts Atom 1.0
Comments