Almost 2,500 patients taking part in a federal medical trial recently had their private health data compromised when a researcher’s laptop computer was stolen. The National Institutes of Health, which was responsible for safeguarding the data, made things worse by delaying in notifying the patients.
This disturbing incident underscores the need for a strong federal law to protect medical privacy and for greater responsibility by those who handle sensitive medical information.
In late February, a laptop belonging to a researcher at the N.I.H.’s National Heart, Lung and Blood Institute was stolen from the trunk of his car. It contained information about heart disease patients, including their names, dates of birth and diagnoses of their medical conditions. The data was not encrypted as it should have been, which made it possible for an outsider to read. The N.I.H. waited roughly a month before notifying the patients whose data was lost.
The release of this information is serious. Heart patients probably do not want their employers or insurance companies, among others, to know the details of their conditions. The breach is also a setback for medical research. Patients are likely to be reluctant to participate in clinical trials if their privacy is not respected.
We’ve been down this road before. In 2006, a laptop was stolen from the home of a Department of Veterans Affairs employee. It contained Social Security numbers and birth dates for millions of veterans and military personnel. The Veterans Affairs inspector general later strongly criticized the department’s procedures and its nearly three-week delay in notifying the victims.
The National Heart, Lung and Blood Institute’s director, Dr. Elizabeth Nabel, says she deeply regrets the breach, and she blames the delay in notifying the patients on an independent review board that set the schedule. Dr. Nabel says the institute is now double-checking that data is properly encrypted and reviewing whether the researcher involved should be disciplined.
These are good steps, but a larger solution is needed. There should be a federal law imposing strict privacy safeguards on all government and private entities handling medical data. Congress should pass a bill like the Trust Act, introduced by Representative Edward Markey, a Democrat of Massachusetts, imposing mandatory encryption requirements and deadlines for notifying patients when their privacy is breached. As the N.I.H. has shown, medical privacy is too important to be left up to the medical profession.