The National Institutes of Health (NIH) has just notified 2,500 patients who participated in a clinical trial that a laptop computer with their personal information was stolen in February, reports The Washington Post.
The laptop computer was stolen from the truck of a car owned by Andrew Arai, a laboratory chief at the National Heart, Lung and Blood Institute (NHLBI). Defying the government's data-security policy, the NIH failed to encrypt the patients' personal information.
According to the Post:
In the letter, Arai told the patients that "some personally identifiable information" was on the stolen computer, including names, birth dates, hospital medical record numbers and MRI information reports, such as measurements and diagnoses. Social Security numbers, phone numbers, addresses and financial information were not on the laptop, officials said.
The incident recalls the 2006 theft of a laptop from the home of an employee of the Department of Veterans Affairs. The computer held the personal information of veterans and active-duty service members. It took 19 days before the VA notified those affected by the information breach.
The Post notes this breach comes after the Government Accountability Office warned the government about its lax data security polices.
The incident is the latest in a number of failures by government employees to properly secure personal information. This month, the found that at least 19 of 24 agencies reviewed had experienced at least one breach that could expose people's personal information to identity theft.
Officials at NIH and NHLBI said they waited nearly a month to tell patients of the theft because "there were concerns about not causing patients undue alarm" - a response they now doubt was appropriate.
Since the incident, the NIH says all its laptops are encrypted, all its employees will undergo regular computer security training, and that personally identifying information will no longer be stored on the instiute's laptops.