Recently, a laptop computer was stolen from the locked car trunk of a researcher who is employed by the National Heart, Lung, and Blood Institute (NHLBI). The theft, which occurred outside of the National Institutes of Health (NIH) campus, appears to have been a random one. The computer contained some unencrypted research information from an ongoing NHLBI study being conducted solely by NHLBI investigators who have been using facilities located at the NIH or Suburban Hospital. The information pertained to about 2500 participants in a cardiac MRI study conducted between 2001 and 2007 and included each participant’s name, birth date, hospital medical record number, and data contained in MRI reports such as measurements and diagnoses. The laptop contained no additional medical information on participants beyond the MRI reports and no additional information such as social security numbers, addresses, phone numbers, or any financial information. Although the laptop was turned off and password protected, so that retrieving the confidential information would require considerable computer sophistication, the NHLBI recognizes that such information should not have been stored in an unencrypted form on a laptop computer.
When volunteers enroll in a clinical study, they place great trust in the researchers and study staff, expecting them to act both responsibly and ethically. We at the NHLBI take that trust very seriously and we deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust.
The incident was immediately reported to the Montgomery County police and is under investigation. In addition, information systems security personnel in the NIH Center for Information Technology (CIT), staff with the Department of Health and Human Services (DHHS), and the NHLBI Institutional Review Board (IRB), an independent committee that oversees the conduct of research in order to protect the rights and welfare of study participants, were promptly alerted.
The CIT has assessed the likely impact of the theft on participants and has determined that since the theft appears to be random, it is unlikely that participants’ information was specifically targeted. It also concluded that the incident poses a low likelihood of identify theft or financial implications.
We want to assure the participants in this and every other NHLBI study that we are taking several steps to increase data security and ensure that similar incidents do not occur in the future. Furthermore, we want to clarify that our partner in this particular study, Suburban Hospital, is not in any way responsible for this breach of confidentiality. The incident concerns NHLBI-conducted research and is totally unrelated to Suburban Hospital’s outstanding medical care.
The NHLBI IRB has met twice since the theft. On March 4, after careful review of the situation and risks to the participants, the IRB decided that they should be informed about the incident. On March 20, 2008, the NHLBI IRB approved a letter to be sent to study participants; NHLBI staff then promptly prepared copies of the letter and sent them by overnight delivery to all participants for whom current addresses were available. Participants were encouraged to contact the NHLBI by phone (301 594-2111) or by email (NHLBI.listens@nih.gov) to share any concerns they may have related to the theft. The NHLBI is committed to responding to all such inquiries within 2 business days.
The NHLBI is conducting proper follow-up procedures with those responsible for this incident and has taken several steps to increase data security and protect the privacy of current and future study participants. First, we are ensuring that all NHLBI laptop computers are encrypted, as required by policies of the DHHS and the Office of Management and Budget. Laptop computers in the possession of NHLBI research staff are being inspected by NIH CIT information security personnel to ensure that appropriate encryption software is installed. All NHLBI staff have been required to take regular computer security training, and this requirement will continue to be strongly enforced in the future as it was in the past. We have also emphasized that NHLBI staff are never to keep patient names, other identifying information, or identifiable medical information on a laptop computer.
The NHLBI is committed to ensuring that no future security breaches will occur.
We thank all of the participants in this and other research studies for their dedication and commitment to improving the health of the public.
###
Part of the National Institutes of Health (NIH), the National Heart, Lung, and Blood Institute (NHLBI) plans, conducts, and supports research related to the causes, prevention, diagnosis, and treatment of heart, blood vessel, lung, and blood diseases; and sleep disorders. The Institute also administers national health education campaigns on women and heart disease, healthy weight for children, and other topics. NHLBI press releases and other materials are available online at www.nhlbi.nih.gov.
The National Institutes of Health (NIH) — The Nation's Medical Research Agency — includes 27 Institutes and Centers and is a component of the U. S. Department of Health and Human Services. It is the primary Federal agency for conducting and supporting basic, clinical, and translational medical research, and it investigates the causes, treatments, and cures for both common and rare diseases. For more information about NIH and its programs, visit http://www.nih.gov.