[ISN] Stolen NIH Laptop Held Social Security Numbers

From: InfoSec News (alerts@private)
Date: Fri Apr 11 2008 - 01:10:31 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2008/04/09/AR2008040903680.html

By Rick Weiss and Ellen Nakashima
Washington Post Staff Writers
April 10, 2008

Social Security numbers for more than 1,200 participants in a National 
Institutes of Health study were stored on a stolen laptop containing 
their medical records, putting those patients at risk of identity theft, 
agency officials said yesterday.

NIH officials had initially assured the more than 3,000 patients whose 
records were on the laptop that the computer's contents -- unencrypted, 
in violation of federal policy -- did not contain any information that 
could put their identity or finances at risk.

But an ongoing review of the computer's last-known contents, performed 
on data backed up from the laptop before it was stolen, has found a file 
that, unbeknownst to the lead researcher, had been loaded onto the 
laptop by a research associate.

That file included Social Security numbers for at least 1,281 of the 
3,078 patients enrolled in the multi-year study, which is sponsored by 
the NIH's National Heart, Lung and Blood Institute (NHLBI).

NIH spokesman John Burklow said yesterday that letters are being sent to 
all those affected, informing them of the risk and offering them free 
registration for a service that will allow them to monitor their credit 
reports. The NIH is also insuring each participant for up to $20,000 in 
losses from identity theft.

The cost to taxpayers for those services is estimated to be $18,400.

"This is a hard lesson for NIH," Burklow said. "The question is, what 
have we learned, and what are we doing to prevent information security 
breaches in the future?"

For starters, Burklow said, NIH Director Elias A. Zerhouni yesterday 
sent an electronic memo to employees of the $28 billion agency, 
reminding them of the importance of following rules governing computer 
encryption and patient privacy.

In the memo, marked "Urgent" and bearing the subject line "IMPORTANT 
MESSAGE FROM DIRECTOR, NIH," Zerhouni called the privacy breach "a 
serious violation of our commitment to protect the confidentiality of 
our patients" and told employees "we must do a far better job of 
protecting data" on laptops and portable storage devices.

The memo insisted that NIH employees immediately encrypt their laptops, 
memory devices and, in some cases, e-mail accounts, and warned that 
random audits would begin immediately.

At the same time, the memo acknowledged a little-talked-about fact: 
There is as yet no government-approved encryption software for use on 
Macintosh laptops, a popular brand among scientists. For now, the memo 
concludes, that means Macs must not be used to store sensitive data and 
Mac users must delete incoming e-mails containing sensitive information 
immediately after remotely archiving that information at a secure site.

With several more paragraphs devoted to instructions for ensuring proper 
data protection on flash drives, BlackBerrys and other electronic 
devices, the memo offers compelling evidence of what an enormously 
daunting task NIH and other agencies face: More and more information and 
analysis are collected and conducted on portable devices that are easily 
misplaced or stolen.

It is a task, however, that legislators yesterday said must be 
accomplished, lest public trust be lost.

"In the wrong hands, Social Security numbers let people unlock our lives 
and steal both our money and our reputations . . . and the government 
largely has failed to do much about it," said Rep. Joe Barton (R-Tex.), 
who last week revealed that he was in the NIH study and that his medical 
records were among those on the stolen laptop. "Indeed, now the 
government itself is losing Social Security numbers."

Several members of Congress have initiated investigations into the 
matter, as has NIH and the inspector general of the Department of Health 
and Human Services.

Burklow said technicians are still sifting through the backup computer 
contents to see if other surprises are there.

The file containing the Social Security numbers was overlooked on 
initial examination of the laptop's 36,000 files, he said, because it 
had a seemingly meaningless title.

Investigators have now determined that it was loaded onto the laptop by 
a clinical research fellow as part of an effort to cross-match the names 
of study participants with the National Death Index maintained by the 
National Center for Health Statistics, which collects death records from 
state vital statistics offices.

© 2008 The Washington Post Company



___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Fri Apr 11 2008 - 01:20:23 PDT