updated 3/24/2008 9:01:21 PM ET 2008-03-25T01:01:21

Lawmakers are questioning why the government waited almost a month to warn 2,500 patients enrolled in a National Institutes of Health study that some of their medical records were in the memory of a stolen laptop computer.

  1. Don't miss these Health stories
    1. Splash News
      More women opting for preventive mastectomy - but should they be?

      Rates of women who are opting for preventive mastectomies, such as Angeline Jolie, have increased by an estimated 50 percent in recent years, experts say. But many doctors are puzzled because the operation doesn't carry a 100 percent guarantee, it's major surgery -- and women have other options, from a once-a-day pill to careful monitoring.

    2. Larry Page's damaged vocal cords: Treatment comes with trade-offs
    3. Report questioning salt guidelines riles heart experts
    4. CDC: 2012 was deadliest year for West Nile in US
    5. What stresses moms most? Themselves, survey says

The laptop was stolen from the locked trunk of a researcher's car on Feb. 23, but the NIH, a federal entity, did not send letters notifying the patients until March 20.

"The stunning failure to act ... raises troubling questions," said Democratic Rep. John Dingell.

Dingell chairs the House of Representatives Energy and Commerce Committee, which began an investigation Monday into the delay and why the patients' records were not encrypted as required by federal security policies.

"Electronic information travels in seconds and minutes, not days and weeks. The NIH should take as much care in protecting its patients' personally identifiable information as it does when handling blood samples," said Republican Sen. Norm Coleman.

The government has required encryption of sensitive data stored on laptops since the 2006 theft of computer equipment that contained data on 26.5 million veterans. But a review by the Government Accountability Office last month, requested by Coleman, found few federal agencies acted sufficiently to protect personal information.

The NIH said the theft was reported immediately to the police and appeared to have been a random act, but there is little risk of identity theft from the kind of patient information the laptop contained. The patients were enrolled in a cardiac study, and the password-protected records contain patient names, their diagnosis of heart disease, MRI heart scans and birth dates — but not identifying Social Security numbers, addresses or phone numbers.

Still, the NIH "recognizes that such information should not have been stored in an unencrypted form on a laptop computer," Dr. Elizabeth Nabel, head of NIH's National Heart, Lung and Blood Institute, said in a statement. "We deeply regret that this incident may cause those who have participated in one of our studies to feel that we have violated that trust."

NIH is working now to ensure all laptops are encrypted, and researchers have been told not to store patient names and other identifying information on them, she said.

© 2013 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments