Lost Laptop Follies, Part 7: NIH Loses Health Records

by on March 24, 2008 · 13 comments

As I noted in previous installments of this series, our government seems to have an increasingly hard time keeping tabs on sensitive data. Unfortunately, there’s been another incident on this front. The Washington Post reported this morning that:

“A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years’ worth of clinical trial data, including names, medical diagnoses and details of the patients’ heart scans. The information was not encrypted, in violation of the government’s data-security policy. NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday — almost a month later. They said they hesitated because of concerns that they would provoke undue alarm.”

Undue alarm? Geez, I can’t imagine why! My friend Leslie Harris of CDT notes in story that, “The shocking part here is we now have personally identifiable information — name and age — linked to clinical data. If somebody does not want to share the fact that they’re in a clinical trial or the fact they’ve got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here.”

But hey, we wouldn’t want to provoke “undue alarm” by telling those folks about the data breach! Pathetic. As I’ve pointed out before, if this happened in the private sector, trial lawyers would be salivating and lawsuits would be flying. By contrast, when the government loses personal information—information that his usually more sensitive than that which private actors collect—about the most that ever comes out of it is another GAO report calling for “more accountability.”

I can’t wait to see how well all our health care records are “secured” once we have socialized medicine in this country.

  • http://www2.blogger.com/profile/14380731108416527657 Steve R.

    Once again its time to point out that computer security is not just a government problem but a problem for everyone. Private industry security is just as lax. To only point out government security shortcomings is one-sided and fails to disclose how pervasive this problem is.
    ————————————–
    The “Laptop Security Blog” contains a post dated March 24, 2008 that: “Hannaford Bros. CEO Ron Hodge has issued a statement this week that 4.2 million of its customers have been exposed to fraud due to a security breach. Fraud has been detected already in 1800 cases.”

    also see: http://www.hannaford.com/Contents/News_Events/News/News.shtml

  • http://www2.blogger.com/profile/14380731108416527657 Steve R.

    Once again its time to point out that computer security is not just a government problem but a problem for everyone. Private industry security is just as lax. To only point out government security shortcomings is one-sided and fails to disclose how pervasive this problem is.
    ————————————–
    The “Laptop Security Blog” contains a post dated March 24, 2008 that: “Hannaford Bros. CEO Ron Hodge has issued a statement this week that 4.2 million of its customers have been exposed to fraud due to a security breach. Fraud has been detected already in 1800 cases.”

    also see: http://www.hannaford.com/Contents/News_Events/N

  • http://www.guerilla-ciso.com/ rybolov

    Hmmm, it seems to me that each agency was required in July 2007 by OMB to have a breach notification policy within 120 days. http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf

    Also, just so you know, the Government Accountability Office has nothing to do with accountability, they’re just the auditors for Congress. It sounds loftier than it really is. =)

  • http://www.guerilla-ciso.com/ rybolov

    Hmmm, it seems to me that each agency was required in July 2007 by OMB to have a breach notification policy within 120 days. http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf

    Also, just so you know, the Government Accountability Office has nothing to do with accountability, they’re just the auditors for Congress. It sounds loftier than it really is. =)

  • http://www.guerilla-ciso.com/ rybolov

    Hmmm, it seems to me that each agency was required in July 2007 by OMB to have a breach notification policy within 120 days. http://www.whitehouse.gov/omb/memoranda/fy2007/

    Also, just so you know, the Government Accountability Office has nothing to do with accountability, they’re just the auditors for Congress. It sounds loftier than it really is. =)

  • http://www.guerilla-ciso.com/ rybolov

    Hmmm, it seems to me that each agency was required in July 2007 by OMB to have a breach notification policy within 120 days. http://www.whitehouse.gov/omb/memoranda/fy2007/

    Also, just so you know, the Government Accountability Office has nothing to do with accountability, they’re just the auditors for Congress. It sounds loftier than it really is. =)

  • Harry Duplantis

    your site is on my favorites now

  • Web Developer

    Trust me we are so close to socialized medicine that it is scary. Last week I interviewed for a web applications development position at NIH. The project is a Personal Health Records (PHR) retention system. Now it is great to have a central collection system but this system is in the reach and control of unscrupulous politicians. Just as the Dept of Commerce census process has been moved to the White House so will your right to medical service will be “adjusted” for the good of the (socialist) party.

  • http://make-penis-bigger.blogspot.com/ Health and sex advise for men

    Good stuff, this article will really help us specially health concerns.

  • http://www.ganedenlabs.com/index.php Probiotics

    Probiotic supplements have been shown, to, for example, help regulate the digestive system, strengthen the immune system and help reduce inflammation.

  • http://www.ilchilee.us/ Ilchi Lee

    They said they hesitated because of concerns that they would provoke undue alarm.”

  • John Parker

    They said they hesitated because of concerns that they would provoke undue alarm.”

  • John Parker

    They said they hesitated because of concerns that they would provoke undue alarm.”

Previous post:

Next post: