By ELISE CASTELLI
March 24, 2008
Personal data on a stolen National Institutes of Health laptop was not
secured by encryption measures, as federal regulations require.
As a result, medical data on nearly 2,500 patients is at risk following
the February theft of a laptop from the locked trunk of a laboratory
The [National Heart, Lung and Blood Institute] recognizes that such
information should not have been stored in an unencrypted form on a
laptop computer, said Elizabeth Nabel, director of NHLBI, a division of
NIH. However, at the time of the theft, the laptop was off and protected
by a password that would take considerable computer sophistication to
crack, she said in a March 24 statement.
Letters to affected patients participants in a cardiac MRI study between
2001 and 2007 didnt go out until March 20, nearly a month after the
computer was reported stolen.
The NIH Center for Information Technology determined that the theft was
random and there is a low likelihood that patients identities would be
stolen, Nabel said.
NIH is working to improve data security following the data loss. All
NHLBI laptops will be encrypted according to Office of Management and
Budget rules, she said.
Subscribe to InfoSec News