NIH laptop theft prompts security questions
The theft, involving seven years' worth of clinical trial data, occurred in February but was not revealed by the NIH until last week, nearly a month after the loss. The machine included names, medical diagnoses and details of the patients' heart scans. The information on the laptop was not encrypted, a violation of government data-security guidelines.
NIH officials said they waited nearly a month to announce the theft because they believed news of the event would cause alarm among patients affected. A similar notification delay was seen following the 2006 theft of a laptop from a Department of Veterans Affairs (VA) employee's home, when VA officials delayed notification of the loss of personal information about veterans and active-duty service members for 19 days.
Rep. John Dingell, D-Mich., chairman of the U.S. House Energy and Commerce Committee, is leading an investigation into the breach and said he wants to know why there was a lag in time between theft and notification, according to reports.
NIH officials said the laptop was stolen Feb. 23 from the locked trunk of a car driven by an employee who had taken his daughter to a swim meet in Montgomery County, Md.
In a letter to affected patients, the NIH said that personally identifiable information such as names, birth dates, hospital medical record numbers and MRI information reports such as measurements and diagnoses, was on the stolen laptop.
The letter was signed by the employee who was the subject of the theft, Andrew Arai, the laboratory chief of the National Heart, Lung and Blood Institute, part of the NIH.
Social Security numbers, phone numbers, addresses and financial information were not on the laptop, according to the NIH.
The NHI theft is the most recent a series of failures by government agencies to properly secure personal information. In a report earlier this month, the Government Accountability Office found that 19 of the 24 agencies it had investigated had experienced at least one breach that could reveal personal information and lead to identity theft.
The NIH incident was a "breakdown in policy enforcement that is a pervasive problem across all industries," Brian Cleary, vice president of marketing for security vendor Aveksa, told SCMagazineUS.com on Monday.
“Regardless of what industry, whether it's a commercial or government entity, we're not finding that they are governing data and access very effectively,” he said. “If you know a mobile device is subject to a high degree of risk, you need to enforce better policies on what types of sensitive information can be stored on those devices."
That another government agency would lose an unencrypted laptop is surprising considering all the recent attention paid to such breaches, Lark Allen, executive vice president at security vendor Wave Systems, told SCMagazineUS.com.
"Quite frankly, for an organization like the NIH, I find it very surprising -- there can't be anyone there who doesn't understand how critical it is for encrypting the data,” he said.
But encryption can be complex.
“The operational challenge of deploying software-based encryption to tens of thousands of laptops" is not to be underestimated, Allen said. “Installing encryption software on an existing laptop remotely is probably a bigger challenge than installing other types of software," he said.
Many new laptops now come with hardware-based encryption, which encrypts the entire drive, he added.
The NIH did not respond to SCMagazineUS.com's request for comment on the theft.