Some 2,500 patients enrolled in a National Institutes of Health (NIH) study have had their personal medical information compromised due to a stolen laptop computer containing seven years of clinical trial data, including names, birth date, hospital medical record numbers, medical diagnosis, and MRI information reports.
The laptop computer was taken on February 23 from the locked trunk of a car driven by a National Heart, Lung, and Blood Institute (NHLBI) laboratory chief named Andrew Arai. However, NIH officials made no public comment and did not send letters to those patients who were compromised until nearly a month later.
“The shocking part here is we now have personally identifiable information — name and age — linked to clinical data,” said Leslie Harris, executive director of the Center for Democracy & Technology. “If somebody does not want to share the fact that they’re in a clinical trial or the fact they’ve got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here.”
Officials said they did not send notifications sooner because they did not want to unnecessarily alarm those involved and that the theft posed a “low likelihood of identify fraud” or financial harm.
Recommendations were made after the theft of a Department of Veterans Affairs laptop in 2006 that contained personal information about veterans and active duty service members that all portable electronic devices be routinely loaded with encryption software. However, the NIH failed to encrypt the laptop that was stolen in this incident. In a statement the NIH said that they are now ensuring that all laptop computers are encrypted, staff members take regular security training and patient names, and other identifying information will no longer be stored on laptops.