The National Institute of Health has reported that a laptop with patients’ data has been stolen. The theft took place about a month ago, but the incident was not made public until today. Approximately 2500 patients may be affected by the latest data security breach, since the laptop in question did not feature full disk encryption.
The information in the laptop included names, medical diagnoses, and details of the patients’ hearts. Information that would be readily useful to identity thieves—such as Social Security numbers, phone numbers, addresses, and financial information—were not included. (Question: why would financial information be collected for a heart study?) Regardless, the incident is being considered very seriously because it represents a violation of the government’s data protection policy and a violation of patients’ privacy.
The latter is self‑explanatory. Doctor‑patient confidentiality exists for many reasons, including incentives for patients to give honest and accurate description of symptoms. The former, too, is self‑explanatory: things get stolen or lost. And when laptop computers get lost or stolen, numerous people may be affected, in the range of, say, oh, I don’t know, approximately twenty‑five hundred people.
The washingtonpost.com has a write‑up of this case, and it’s quite an interesting read because, if anything, it gives you a view into how that particular bureaucracy works (there is a reason why it took so long to report the theft to the public). In summary, the now‑missing laptop was to be encrypted, but the process failed for some reason. The person using the laptop failed to do a follow up on this matter and the computer subsequently got stolen from his car’s trunk.
In some ways, I wish we were dealing with brain researchers so I could make a crack about laptop encryption not being brain surgery. Alas, it is not to be.
I think there are two people to blame for this information security breach. Or rather, there is someone to blame in addition to the heart researcher who was using the laptop. Clearly, a large part of the blame falls on the researcher himself. He knew his laptop was not encrypted. He was also in a better position to know what kind of data could be found on his laptop, and the potential ramifications if it were to be stolen.
However, it’s also true that there should have been some form of oversight, i.e., auditing and correcting any shortcomings. For example, with an encryption solution like AlertBoot, not only do you get an easy and centrally managed whole disk encryption system, you get a superior reporting engine, allowing you to easily perform audits on the state of the computers’ encryption and ensure nothing fell through the cracks. It stands to reason that someone other than the laptop owner would be in charge of running such reports. In the case of the NIH, it looks like this person fell asleep at the wheel.