|NIH official had laptop stolen that held patient data. Source: Medical Informatics Insider|
A laptop containing medical information of 2,500 patients enrolled in a National Institutes of Health (NIH) study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans.
The information was also not encrypted, which is in violation of the government's data-security policy, the Washington Post reported.
NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until March 20. NIH said they hesitated because of concerns that they would provoke undue alarm, according to the Post.
"When volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically," said Elizabeth G. Nabel, director of the National Heart, Lung and Blood Institute (NHLBI), in a statement issued Friday. "We deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."
Nabel said information pertained to about 2,500 participants in a cardiac MRI study conducted between 2001 and 2007 and included each participant’s name, birth date, hospital medical record number, and data contained in MRI reports such as measurements and diagnoses.
Social Security numbers, phone numbers, addresses and financial information were not on the laptop, NIH officials said.
The laptop was taken Feb. 23 from the locked trunk of a car driven by Andrew Arai, MD, an NHLBI laboratory chief, in a random theft, according to the Post. Arai had taken his daughter to a swim meet.
Arai oversees the institute's research program on cardiac MRI and signed the letters to those whose data was exposed.
The NHLBI Institutional Review Board (IRB) has met twice since the theft. On March 4, after reviewing the situation and the risks to the participants, the IRB decided that the patients should be informed about the incident, according to the NIH. A letter to participants was sent March 20.
Nabel said the institute is taking steps to ensure all laptop computers are encrypted.