OT:Stolen NIH Laptop Held Social Security Numbers

[Guest guest]

Stolen NIH Laptop Held Social Security Numbers

Washington Post*

By Rick Weiss and Ellen Nakashima

Washington Post Staff Writers

Thursday, April 10, 2008; Page A05

http://www.washingtonpost.com/wpdyn/content/article/2008/04/09/AR2008

040903680.html

Social Security numbers for more than 1,200 participants in a

National Institutes of Health study were stored on a stolen laptop

containing their medical records, putting those patients at risk of

identity theft, agency officials said yesterday.

NIH officials had initially assured the more than 3,000 patients

whose records were on the laptop that the computer's contents --

unencrypted, in violation of federal policy -- did not contain any

information that could put their identity or finances at risk.

But an ongoing review of the computer's last-known contents,

performed on data backed up from the laptop before it was stolen,

has found a file that, unbeknownst to the lead researcher, had been

loaded onto the laptop by a research associate.

That file included Social Security numbers for at least 1,281 of the

3,078 patients enrolled in the multi-year study, which is sponsored

by the NIH's National Heart, Lung and Blood Institute (NHLBI).

NIH spokesman Burklow said yesterday that letters are being

sent to all those affected, informing them of the risk and offering

them free registration for a service that will allow them to monitor

their credit reports. The NIH is also insuring each participant for

up to $20,000 in losses from identity theft.

The cost to taxpayers for those services is estimated to be $18,400.

" This is a hard lesson for NIH, " Burklow said. " The question is,

what have we learned, and what are we doing to prevent information

security breaches in the future? "

For starters, Burklow said, NIH Director Elias A. Zerhouni yesterday

sent an electronic memo to employees of the $28 billion agency,

reminding them of the importance of following rules governing

computer encryption and patient privacy.

In the memo, marked " Urgent " and bearing the subject line " IMPORTANT

MESSAGE FROM DIRECTOR, NIH, " Zerhouni called the privacy breach " a

serious violation of our commitment to protect the confidentiality

of our patients " and told employees " we must do a far better job of

protecting data " on laptops and portable storage devices.

The memo insisted that NIH employees immediately encrypt their

laptops, memory devices and, in some cases, e-mail accounts, and

warned that random audits would begin immediately.

At the same time, the memo acknowledged a little-talked-about fact:

There is as yet no government-approved encryption software for use

on Macintosh laptops, a popular brand among scientists. For now, the

memo concludes, that means Macs must not be used to store sensitive

data and Mac users must delete incoming e-mails containing sensitive

information immediately after remotely archiving that information at

a secure site.

With several more paragraphs devoted to instructions for ensuring

proper data protection on flash drives, BlackBerrys and other

electronic devices, the memo offers compelling evidence of what an

enormously daunting task NIH and other agencies face: More and more

information and analysis are collected and conducted on portable

devices that are easily misplaced or stolen.

It is a task, however, that legislators yesterday said must be

accomplished, lest public trust be lost.

" In the wrong hands, Social Security numbers let people unlock our

lives and steal both our money and our reputations . . . and the

government largely has failed to do much about it, " said Rep. Joe

Barton (R-Tex.), who last week revealed that he was in the NIH study

and that his medical records were among those on the stolen

laptop. " Indeed, now the government itself is losing Social Security

numbers. "

Several members of Congress have initiated investigations into the

matter, as has NIH and the inspector general of the Department of

Health and Human Services.

Burklow said technicians are still sifting through the backup

computer contents to see if other surprises are there.

The file containing the Social Security numbers was overlooked on

initial examination of the laptop's 36,000 files, he said, because

it had a seemingly meaningless title.

Investigators have now determined that it was loaded onto the laptop

by a clinical research fellow as part of an effort to cross-match

the names of study participants with the National Death Index

maintained by the National Center for Health Statistics, which

collects death records from state vital statistics offices.