Stolen Laptop Contains Patients' Data

March 25, 2008

Rachel last week wrote a great post explaining what you need to know about medical trials — from costs to informed consent — and where to go to get other questions answered.

One question being asked now in Washington in the wake of a laptop theft is why protocols concerning patients’ privacy were not followed. From the Washington Post, which ran this story Monday on page 1:

A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years’ worth of clinical trial data, including names, medical diagnoses and details of the patients’ heart scans. The information was not encrypted, in violation of the government’s data-security policy.

NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday — almost a month later. They said they hesitated because of concerns that they would provoke undue alarm.

You think?

Leslie Harris, executive director of the Center for Democracy & Technology, explains why it hurts: “The shocking part here is we now have personally identifiable information — name and age — linked to clinical data … If somebody does not want to share the fact that they’re in a clinical trial or the fact they’ve got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here.”