March 25, 2008

One hopes that no insurers are without the password and encryption safeguards to protect personal health information (PHI). The government's HIPAA security guidance requires that PHI be protected, but the government has failed its own standard once again, this time by the actions or negligence of an employee of the National Institutes of Health.The breach, involving medical information of 2,500 individuals, was caused when a laptop was lifted from the trunk of an NIH employee named Andrew Arai, who was dropping his daughter off at a swim meet. The trunk was locked, but the sensitive information contained in the laptop was not. As the Washington Post reports, "An initial effort by information technology personnel failed to encrypt the laptop before it was stolen and Arai neglected to follow up, according to NHLBI spokeswoman Susan Dambrauskas."

In this case the sheer number of records lost didn't rival the notorious loss of confidential information associated with the 2006 loss of a Department of Veterans Affairs laptop (or the much more recent security breach associated with Hannaford Bros. supermarket chain) but there is special embarrassment in the breach occurring on the watch of an organization that falls within the Department of Health and Human Services, which promulgated and polices HIPAA rules.

Apart from that dubious distinction, the NIH is much like other government operations, according to a GAO inquiry:

The incident is the latest in a number of failures by government employees to properly secure personal information. This month, the Government Accountability Office found that at least 19 of 24 agencies reviewed had experienced at least one breach that could expose people's personal information to identity theft.
However, in terms of sheer scale, the Americans still have something to learn from the British.The breach, involving medical information of 2,500 individuals, was caused when a laptop was lifted from the trunk of an NIH employee named Andrew Arai, who was dropping his daughter off at a swim meet. The trunk was locked, but the sensitive information contained in the laptop was not.

ABOUT THE AUTHOR
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek ...