A laptop containing medical information of 2,500 patients enrolled in a National Institutes of Health (NIH) study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans.
The information was also not encrypted, which is in violation of the government's data-security policy, the Washington Post reported.
NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until March 20. NIH said they hesitated because of concerns that they would provoke undue alarm, according to the Post.
Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), said in a statement issued Friday that "when volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically." She said that "we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."
“The information pertained to about 2,500 participants in a cardiac MRI study conducted between 2001 and 2007 and included each participant’s name, birth date, hospital medical record number, and data contained in MRI reports such as measurements and diagnoses,” Nabel said.
Social Security numbers, phone numbers, addresses and financial information were not on the laptop, NIH officials said.
The Post reported that NIH officials said that the laptop was taken Feb. 23 from the locked trunk of a car driven by an NHLBI laboratory chief, Andrew Arai, who had taken his daughter to a swim meet. The Institutes called it a random theft. Arai oversees the institute's research program on cardiac MRI and signed the letters to those whose data was exposed.
NIH said that the NHLBI Institutional Review Board (IRB), an independent committee that oversees the conduct of research in order to protect the rights and welfare of study participants, has met twice since the theft. On March 4, after reviewing the situation and the risks to the participants, the IRB decided that the patients should be informed about the incident.
On March 20, the NHLBI IRB sent a letter to be sent to study participants, informing them of the breach.
To prevent further incidents, the NHLBI is conducting follow-up procedures with those responsible for this incident and has taken several steps to increase data security and protect the privacy of current and future study participants.
Nabel said that “we are ensuring that all NHLBI laptop computers are encrypted, as required by policies of the DHHS [Department of Health and Human Services] and the Office of Management and Budget. Laptop computers in the possession of NHLBI research staff are being inspected by NIH CIT [Center for Information Technology] information security personnel to ensure that appropriate encryption software is installed.”