Congress probes stolen laptop that contains names of 2,500 heart patients

Lawmakers are questioning why the government waited almost a month to warn 2,500 patients enrolled in a National Institutes of Health study that some of their medical records were in the memory of a stolen laptop computer.

The laptop was stolen from the locked trunk of a researcher's car on Feb. 23, but the NIH, a federal entity, did not send letters notifying the patients until March 20.

"The stunning failure to act ... raises troubling questions," said Democratic Rep. John Dingell.

Dingell chairs the House of Representatives Energy and Commerce Committee, which began an investigation Monday into the delay and why the patients' records were not encrypted as required by federal security policies.

"Electronic information travels in seconds and minutes, not days and weeks. The NIH should take as much care in protecting its patients' personally identifiable information as it does when handling blood samples," said Republican Sen. Norm Coleman.

The government has required encryption of sensitive data stored on laptops since the 2006 theft of computer equipment that contained data on 26.5 million veterans. But a review by the Government Accountability Office last month, requested by Coleman, found few federal agencies acted sufficiently to protect personal information.

The NIH said the theft was reported immediately to the police and appeared to have been a random act, but there is little risk of identity theft from the kind of patient information the laptop contained. The patients were enrolled in a cardiac study, and the password-protected records contain patient names, their diagnosis of heart disease, MRI heart scans and birth dates — but not identifying Social Security numbers, addresses or phone numbers.

Still, the NIH "recognizes that such information should not have been stored in an unencrypted form on a laptop computer," Dr. Elizabeth Nabel, head of NIH's National Heart, Lung and Blood Institute, said in a statement. "We deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."

NIH is working now to ensure all laptops are encrypted, and researchers have been told not to store patient names and other identifying information on them, she said.