http://www.washingtonpost.com/wp-dyn/content/article/2008/04/09/AR2008040903680.html
By Rick Weiss and Ellen Nakashima
Washington Post Staff Writers
April 10, 2008
Social Security numbers for more than 1,200 participants in a National
Institutes of Health study were stored on a stolen laptop containing
their medical records, putting those patients at risk of identity theft,
agency officials said yesterday.
NIH officials had initially assured the more than 3,000 patients whose
records were on the laptop that the computer's contents -- unencrypted,
in violation of federal policy -- did not contain any information that
could put their identity or finances at risk.
But an ongoing review of the computer's last-known contents, performed
on data backed up from the laptop before it was stolen, has found a file
that, unbeknownst to the lead researcher, had been loaded onto the
laptop by a research associate.
That file included Social Security numbers for at least 1,281 of the
3,078 patients enrolled in the multi-year study, which is sponsored by
the NIH's National Heart, Lung and Blood Institute (NHLBI).
NIH spokesman John Burklow said yesterday that letters are being sent to
all those affected, informing them of the risk and offering them free
registration for a service that will allow them to monitor their credit
reports. The NIH is also insuring each participant for up to $20,000 in
losses from identity theft.
The cost to taxpayers for those services is estimated to be $18,400.
"This is a hard lesson for NIH," Burklow said. "The question is, what
have we learned, and what are we doing to prevent information security
breaches in the future?"
For starters, Burklow said, NIH Director Elias A. Zerhouni yesterday
sent an electronic memo to employees of the $28 billion agency,
reminding them of the importance of following rules governing computer
encryption and patient privacy.
In the memo, marked "Urgent" and bearing the subject line "IMPORTANT
MESSAGE FROM DIRECTOR, NIH," Zerhouni called the privacy breach "a
serious violation of our commitment to protect the confidentiality of
our patients" and told employees "we must do a far better job of
protecting data" on laptops and portable storage devices.
The memo insisted that NIH employees immediately encrypt their laptops,
memory devices and, in some cases, e-mail accounts, and warned that
random audits would begin immediately.
At the same time, the memo acknowledged a little-talked-about fact:
There is as yet no government-approved encryption software for use on
Macintosh laptops, a popular brand among scientists. For now, the memo
concludes, that means Macs must not be used to store sensitive data and
Mac users must delete incoming e-mails containing sensitive information
immediately after remotely archiving that information at a secure site.
With several more paragraphs devoted to instructions for ensuring proper
data protection on flash drives, BlackBerrys and other electronic
devices, the memo offers compelling evidence of what an enormously
daunting task NIH and other agencies face: More and more information and
analysis are collected and conducted on portable devices that are easily
misplaced or stolen.
It is a task, however, that legislators yesterday said must be
accomplished, lest public trust be lost.
"In the wrong hands, Social Security numbers let people unlock our lives
and steal both our money and our reputations . . . and the government
largely has failed to do much about it," said Rep. Joe Barton (R-Tex.),
who last week revealed that he was in the NIH study and that his medical
records were among those on the stolen laptop. "Indeed, now the
government itself is losing Social Security numbers."
Several members of Congress have initiated investigations into the
matter, as has NIH and the inspector general of the Department of Health
and Human Services.
Burklow said technicians are still sifting through the backup computer
contents to see if other surprises are there.
The file containing the Social Security numbers was overlooked on
initial examination of the laptop's 36,000 files, he said, because it
had a seemingly meaningless title.
Investigators have now determined that it was loaded onto the laptop by
a clinical research fellow as part of an effort to cross-match the names
of study participants with the National Death Index maintained by the
National Center for Health Statistics, which collects death records from
state vital statistics offices.
© 2008 The Washington Post Company
___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
Comments