« Wireless Remains a Favorite Target | Main | School failure by any other name, would smell as sweet? »
March 24, 2008
Government Data Protection: Another Day, Another Lost Laptop
In what is becoming an all-to-regular development, another U.S. government agency suffered a breach of confidential information. This time, a laptop containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health clinical trial was stolen in February. As is par for the course, NIH is only getting around to reporting it now.
In a letter to affected individuals, Andrew Arai, a laboratory chief at the National Heart, Lung and Blood Institute (NHLBI), said the laptop was stolen from the trunk of his car. He told the patients that some personally identifiable information was on the stolen computer, including names, birth dates, hospital medical record numbers and MRI information reports, such as measurements and diagnoses. Social Security numbers, phone numbers, addresses and financial information were not on the laptop, officials said.
We're supposed to find this last part reassuring.
Today’s Washington Post reports:
NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday -- almost a month later. They said they hesitated because of concerns that they would provoke undue alarm.
The handling of the incident is reminiscent of a 2006 theft from the home of a Department of Veterans Affairs employee of a laptop with personal information about veterans and active-duty service members. In that case, VA officials waited 19 days before announcing the theft.
"The shocking part here is we now have personally identifiable information -- name and age -- linked to clinical data," said Leslie Harris, executive director of the Center for Democracy & Technology. "If somebody does not want to share the fact that they're in a clinical trial or the fact they've got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here."
The incident is the latest in a number of failures by government employees to properly secure personal information. This month, the Government Accountability Office found that at least 19 of 24 agencies reviewed had experienced at least one breach that could expose people's personal information to identity theft.
It’s getting to hard to tell what’s treated more cavalierly: taxpayer money or taxpayer data. The Veterans Affairs employee had violated an agency policy prohibiting the removal of laptops from the office. It is unknown whether a similar policy is in force at NHLBI or NIH. If not, any information security officer worth his salt would tell you there should have been.
Let’s keep these breaches in mind when we hear presidential candidates Hillary Clinton and Barack Obama, not to mention members of Congress from both parties, repeat their calls for a government-run health care information network that would collect, centralize and store every bit of data about the medical case histories of every American. Of course, they say, we can count on the promise that confidential data will be strictly safeguarded.
Just like at NIH and Veteran Affairs to be sure.
Let’s also keep in mind that it was this same federal government that, as part of the Sarbanes-Oxley Act, unleashed a set of complex, onerous and sometimes contradictory standards for data security that are costing American business billions of dollars to meet (and prescibes felony charges if they don't), while there are federal (and state) agencies that hold far more important and valuable consumer data that likely fail a SOX audit less than 30 minutes into the process.
Posted by steve.titch at March 24, 2008 02:09 PM
Comments