On February 23rd a laptop belonging to a National Institutes of Health (NIH) researcher was stolen from the locked trunk of his car, but it was not until March 20th before the NIH sent letters informing 2,500 participants in a clinical study that their medical records were stored in the stolen laptop.

The participants had taken part in a heart disease clinical trial study carried out by the National Heart Lung and Blood Institute (part of the NIH) from 2001 to 2007. The records, which are password protected, include their names, heart disease diagnosis, dates of birth and MRI heart scans. The records do not include their phone numbers, Social Security numbers or addresses.

Politicians want to know why it took the government nearly one month to let the enrollees know that their medical records had been stolen. Rep. John Dingell (D-Mich) said that this “stunning failure to act raises troubling questions”.

The House Energy and Commerce Committee started an investigation into this delay. The Committee, chaired by J. Dingell, would also like to know why participants’ records were not encrypted – a requisite, according to federal security policy. Encryption has been federal security policy every since computer equipment containing details on over 26 million veterans was stolen in 2006.

Senator Norm Coleman (R-Minn) wondered why the NIH did not take as much care protecting patient information as it does when handling blood samples. Coleman informs that very few federal agencies are taking the necessary steps to protect personal data.

According to the NIH, the police was informed as soon as they found out about the theft, which was described as a “random act”. It added that the risk of patients having their identities stolen was minimal as the information in the stolen laptop would not be useful for such purposes.

Dr. Elizabeth Nabel, National Heart Lung and Blood Institute (NHLBI), NIH, said that the institute recognizes that such data should not have been stored in an unencrypted form on a laptop computer. “We deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust,” Nabel said. She added “When volunteers enroll in a clinical study, they place great trust in the researchers and study staff. The incident may cause those who participated in one of our studies to feel that we have violated that trust.”

All laptops of NIH employees are currently being encrypted, the NIH informs. NIH researchers have been instructed to make sure participants’ names are not stored in their laptops.

In an interview with CNN, Sudan Shirin, Deputy Director, NHLBI, said the stolen laptop had fallen through the cracks, when asked why it had not been encrypted. Shirin stressed that all NHLBI laptops are currently undergoing a “thorough review”.

Statement from Elizabeth G. Nabel, M.D., Director of the National Heart, Lung, and Blood Institute (NHLBI), on a Stolen NHLBI Laptop Computer

Written by – Christian Nordqvist