Search This Blog

Tuesday, March 25, 2008


As I posted yesterday’s blog on Medical Identity theft Part 1, a story was developing at the Washington Post on another medical breach, small but significant. The National Institute of Health has several studies going on that involve clinical data that is highly personal. This particular one included participants’ names, birth dates, medical diagnoses, and seven year details of patients’ heart scans. There were 2,500 people involved, and right now all this private information is on the street where it could prove fodder for the ID thieves, or something equally as bad. It could also be used to deny insurance or employment. The WP article reports that the data was not encrypted, which was a violation of the government’s data-security policy. What’s worse, the person from whom the laptop was stolen—out of the trunk of his car, by the way—was Andrew Arai, a National Heart, Lung and Blood Institute laboratory chief who oversees NIH’s research program on cardiac magnetic resonance imaging. We’re not talking some intern who either hasn’t gotten the word or who doesn’t care about someone else’s personal data. We’re talking the guy who is head of the program of the data that was lost. He had taken his daughter to a swim meet, and someone just popped the trunk and made off with the laptop. Since he’s guilty of two strikes: one, he left the computer in the trunk of his car unattended, and two, he failed to encrypt the data, on the third strike he should be out. That would occur when one of the participant’s private information is used to victimize them. The NIH said “identity fraud not likely.” Elizabeth Nabel, director of the National Heart, Lung and Blood Institute, which is a part of the NIH study, said: “since the NIH incident, ‘we are ensuring" that all the institute's laptop computers are encrypted and that staff members will be required to take regular computer security training.’ She also said ‘patient names, other identifying information, or identifiable medical information’ will no longer be stored on laptop computers.” Forgive me, but how many times have we heard this crap? I believe we should hold accountable the people who actually commit the breaches, while working our way up the ladder to the top individual in charge. It has to start at the top, like with Andrew Arai, to be effective enough to get to the underlings down the chain of command. And somewhere along the line, we have to stop and say, “enough is enough,” and start charging those that don’t comply. The government is responsible for almost 20 percent of all data breaches, and apparently there is no end in sight to stop the momentum. Even with a data-security policy in place, the breaches continue to happen. It would be interesting to find out what action—if any—is taken against government employees that violate the data-security policy. I will try to answer this in a future post. Finally, there is no way to determine the purpose of the crook stealing the laptop, but considering the fact that you can buy a new one today for less than $500, you have to think that a majority of these thefts might be to steal your personal data. More coming on this subject.

No comments: