WASHINGTON – Lawmakers are questioning why the government waited almost a month to warn 2,500 patients enrolled in a National Institutes of Health study that some of their medical records were in a stolen laptop computer.
The laptop was stolen from the locked trunk of a researcher's car on Feb. 23, but the NIH didn't send letters notifying the patients until March 20.
"The stunning failure to act ... raises troubling questions," said Rep. John Dingell, D-Mich.
Dingell chairs the House Energy and Commerce Committee, which began an investigation Monday into the delay and why the patients' records were not encrypted, in violation of federal security policies.
"Electronic information travels in seconds and minutes, not days and weeks. The NIH should take as much care in protecting its patients' personally identifiable information as it does when handling blood samples," said Sen. Norm Coleman, R-Minn.
The government has required encryption of sensitive data stored on laptops since the 2006 theft of computer equipment that contained data on 26.5 million veterans. But a review by the Government Accountability Office last month, requested by Coleman, found few federal agencies had taken enough steps to protect personal information.
The NIH said its theft was immediately reported to the police and appears to be a random act, but that there's little risk of identity theft from the kind of patient information the laptop contained. The patients were enrolled in a cardiac study, and the password-protected records contain patient names, their diagnosis of heart disease, MRI heart scans and birth dates — but not Social Security numbers, addresses or phone numbers.
Still, the NIH "recognizes that such information should not have been stored in an unencrypted form on a laptop computer," Dr. Elizabeth Nabel, head of NIH's National Heart, Lung and Blood Institute, said in a statement. "We deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."
NIH is working now to ensure all laptops are encrypted, and researchers have been told to no longer store patient names and other identifying information on them, she said.