OT:Lawmakers Question NIH Handling of Data Loss

[Guest guest]

Lawmakers Question NIH Handling of Data Loss

Washington Post*

From News Services

Tuesday, March 25, 2008; Page A05

http://www.washingtonpost.com/wpdyn/content/article/2008/03/24/AR2008

032402647.html

Lawmakers questioned yesterday why the National Institutes of Health

waited almost a month to warn 2,500 patients enrolled in a federal

medical study that some of their unencrypted medical information was

in a stolen laptop computer.

The laptop was stolen Feb. 23 from the locked trunk of a

researcher's car, but NIH did not send letters notifying the

patients until March 20.

" The stunning failure to act . . . raises troubling questions, " said

Rep. D. Dingell (D-Mich.).

The House Energy and Commerce Committee, which Dingell chairs, began

an investigation yesterday into the delay and why the patients'

records were not encrypted, in violation of federal policy.

" Electronic information travels in seconds and minutes, not days and

weeks. The NIH should take as much care in protecting its patients'

personally identifiable information as it does when handling blood

samples, " said Sen. Norm (R-Minn.).

Rep. J. Markey (D-Mass.), who chairs the Congressional

Privacy Caucus, sent a letter to Health and Human Services Secretary

Mike Leavitt asking why the laptop was not encrypted, what steps the

department would take to prevent future breaches and whether there

had been similar episodes in the past three years.

And the chairman of the House subcommittee on oversight and

investigations vowed to investigate. " The theft of a government

laptop from an NIH employee and the subsequent mishandling of the

situation raise serious questions about the agency's commitment to

data security, " said Rep. Bart Stupak (D-Mich.).

The government has required encryption of sensitive data stored on

laptops since the 2006 theft of computer equipment that contained

data on 26.5 million veterans. But a review by the Government

Accountability Office last month, requested by , found few

federal agencies had taken enough steps to protect personal

information.

NIH said there is little risk of identity theft from the kind of

information the laptop contained. The patients were enrolled in a

cardiac study, and the password-protected records contain patient

names, their diagnosis of heart disease, MRI heart scans and birth

dates -- but not Social Security numbers, addresses or phone

numbers.

NIH " recognizes that such information should not have been stored in

an unencrypted form on a laptop computer, " Nabel, of NIH's

National Heart, Lung and Blood Institute, said in a statement.