The government's mishandling of confidential information drew widespread concern with the May 2006 theft of a Veterans Affairs laptop and detachable hard drive from an employee's home in Aspen Hill. The computer equipment, which was later recovered, contained the names, Social Security numbers and birth dates of more than 26 million military veterans.
In June 2006, the Bush administration responded to the VA incident by giving federal agencies 45 days to secure all portable computers and devices carrying sensitive data. Yet the string of mishaps continued.
Earlier this year, congressional investigators at the Government Accountability Office criticized the Internal Revenue Service for failing to secure all taxpayer data. In February 2007, an unencrypted hard drive containing medical information for 535,000 patients disappeared from a Veterans Affairs facility in Birmingham, Ala.
Josephine Schuda, a VA spokeswoman, said the hard drive couldn't be encrypted. "Generally our policy is to encrypt all portable devices. Occasionally, we discover somebody has not followed policy, and we try to remedy that as fast as we can," she said.
Many private companies and hospitals are also struggling to secure mobile devices. Last year, St. Mary's Hospital in Leonardtown reported the theft of a laptop with data on as many as 130,000 former and current patients.
Concern about the security of computer information isn't confined to easy-to-carry hardware. The Department of Agriculture was assailed for posting on its Web site the Social Security numbers of loan recipients.
Government encryption of laptops is of particular concern, however, because the computers often download sensitive data from large databases and are vulnerable to disappearance or theft.
While it's technically easy to encrypt portable computers, government managers do run into problems making sure every one is secured, said Shahid N. Shah, a healthcare information technology consultant in Silver Spring. But Shah said the managers needed to do so, given the information at stake. "It's private data," he said.
Shurin said the agency has received 20 calls from study participants since notifying them of the data theft, and most inquired about the type of information released. She said there is no indication that the personal data - which did not include Social Security numbers or addresses - was accessed on the missing laptop.
jonathan.rockoff@baltsun.com
