WASHINGTON -- First it was the Department of Veterans Affairs. Then, the Internal Revenue Service. Now, the National Institutes of Health is the latest federal agency that failed to encrypt laptop computers containing sensitive private information.
The recent theft of a laptop that had medical test results for 2,500 patients in an NIH heart imaging study shows that the government is still not guarding private information, despite new rules, privacy specialists say.
"The issue isn't so much with the policy; it's with the policy being followed in practice," said Joy Pritts, a Georgetown University researcher who specializes in health care privacy.
The laptop was reported stolen from Dr. Andrew E. Arai's locked car trunk Feb. 23, but the National Heart, Lung and Blood Institute alerted patients to the data theft only last week.
Their names, birth dates and test results from an ongoing heart imaging study were not encrypted because the agency hadn't gotten around to securing Arai's laptop, said Dr. Susan Shurin, the institute's deputy director. Officials said there was a delay in informing patients of the breach of confidential information because it wasn't initially clear that the laptop held personal information.
"This justifies a hard look at the whole system as well as the individual," said Shurin, who said the institute had begun checking every laptop for encryption and reminding staff to avoid keeping private information on laptops unless necessary.
Arai, the study's lead investigator, said the laptop was taken from his car while it was parked in Germantown and that he reported it to police within an hour.
"Everyone is trying to do the best they can, myself included. Everyone feels badly about what happened," Arai said of the incident, which was first reported yesterday by The Washington Post.
Rep. Edward J. Markey, a Massachusetts Democrat who chairs the Congressional Privacy Caucus, sent a letter to Health and Human Services Secretary Michael O. Leavitt asking why the laptop wasn't encrypted, what steps the department will take to prevent another breach and whether there had been similar episodes in the past three years.
The chairman of the House Subcommittee on Oversight and Investigations vowed to investigate. "The theft of a government laptop from an NIH employee and the subsequent mishandling of the situation raise serious questions about the agency's commitment to data security," said Rep. Bart Stupak, a Democrat from Michigan.
The government's mishandling of confidential information drew widespread concern with the May 2006 theft of a Veterans Affairs laptop and detachable hard drive from an employee's home in Aspen Hill. The computer equipment, which was later recovered, contained the names, Social Security numbers and birth dates of more than 26 million military veterans.
In June 2006, the Bush administration responded to the VA incident by giving federal agencies 45 days to secure all portable computers and devices carrying sensitive data. Yet the string of mishaps continued.
Earlier this year, congressional investigators at the Government Accountability Office criticized the Internal Revenue Service for failing to secure all taxpayer data. In February 2007, an unencrypted hard drive containing medical information for 535,000 patients disappeared from a Veterans Affairs facility in Birmingham, Ala.
Josephine Schuda, a VA spokeswoman, said the hard drive couldn't be encrypted. "Generally our policy is to encrypt all portable devices. Occasionally, we discover somebody has not followed policy, and we try to remedy that as fast as we can," she said.
Many private companies and hospitals are also struggling to secure mobile devices. Last year, St. Mary's Hospital in Leonardtown reported the theft of a laptop with data on as many as 130,000 former and current patients.
Concern about the security of computer information isn't confined to easy-to-carry hardware. The Department of Agriculture was assailed for posting on its Web site the Social Security numbers of loan recipients.
Government encryption of laptops is of particular concern, however, because the computers often download sensitive data from large databases and are vulnerable to disappearance or theft.
While it's technically easy to encrypt portable computers, government managers do run into problems making sure every one is secured, said Shahid N. Shah, a healthcare information technology consultant in Silver Spring. But Shah said the managers needed to do so, given the information at stake. "It's private data," he said.
Shurin said the agency has received 20 calls from study participants since notifying them of the data theft, and most inquired about the type of information released. She said there is no indication that the personal data - which did not include Social Security numbers or addresses - was accessed on the missing laptop.