The laptop, which was stolen from a doctor’s locked car trunk February 23, contained some unencrypted research information from an ongoing study by the National Heart, Lung and Blood Institute (NHLBI). The theft occurred outside of the National Institute of Health campus.
The information involved roughly 2,5000 participants in a cardiac MRI study conducted between 2001 and 2007 and included each participant’s name, birth date, hospital medical record number and data contained in MRI reports such as measurements.
The laptop contained no additional medical information on participants beyond the MRI reports and no information such as social security numbers, addresses or phone numbers. Participants were not notified until March 20.
Rep. Edward Markey, a Massachusetts Democrat who chairs the Congressional Privacy Caucus, sent a letter to Health and Human Services Secretary Michael Leavitt asking why the laptop was not encrypted and what steps the department would take to prevent another breach.
The National Institute of Health said the incident was immediately reported to the police and it is under investigation. The NHLBI said it would install encryption software on its laptops and conduct regular security training for its employees.
Following a theft of a Veterans Affairs laptop in May 2006, (which contained personal data for 26.5 million veterans and military personnel), the Office of Management and Budget issued guidelines that require information on laptops across all government agencies to be encrypted.