WASHINGTON (CNN) -- A government laptop computer stolen last month held unencrypted medical records of 2,500 participants in a government study, Susan Shirin, deputy director of the National Heart, Lung and Blood Institute (NHLBI) told CNN Monday.
The incident prompted the NHLBI to issue a statement saying it would no longer store patient medical information on laptops.
The lack of encryption violated federal guidelines dating back to 2006. Shurin told CNN the stolen laptop "fell through the cracks" and should have been encrypted. A thorough review of other laptops containing sensitive information is under way, she said.
The computer was stolen on February 23 from the trunk of a senior employee's car, Shurin said. It contained the names, birthdays, medical record numbers and diagnoses of patients who participated in a heart disease clinical trial study conducted by NHLBI from 2001 to 2007.
Patients were informed last week of the breach, after an investigation determined the laptop contained sensitive information. The theft appears to have been random, according to a statement from the institute's director.
In the statement released Monday, NHLBI director Elizabeth G. Nabel said she deeply regretted the incident.
"When volunteers enroll in a clinical study, they place great trust in the researchers and study staff," said Nabel. "The incident may cause those who participated in one of our studies to feel that we have violated that trust."
Greg Wilshusen, director of information security issues at the Government Accounting Office (GAO), said the incident could be the tip of the iceberg.
"These types of incidents are not unusual. Several government agencies have reported them," said Wilshusen. "The number of government security incidents has increased from 3,600 reported cases in 2005 to 13,000 in 2007, an increase of 250 percent."
Wilshusen said the increase is partly because a mobile workforce is requiring information to be stored on laptops and other mobile devices, placing private information at greater risk of being accessed, stolen or compromised.
NHLBI is the third largest agency within the National Institutes of Health (NIH).
The Center for Democracy and Technology, a non-profit group promoting privacy in the digital age, called the breach "absurd" and said NIH did nothing right when it came to protecting patients in the study.
"There is not a reason patient information should be on a laptop and not on a proper server, said executive director Leslie Harris. "NIH is focusing too much on identity theft and not enough on the personal information they were entrusted to keep private."
Harris added that the incident could deter some patients from participating in future clinical trials.
This latest breach of government information comes after the well-publicized theft of a Veterans Affairs laptop computer in May 2006, which contained personal data for 26.5 million veterans and military personnel. The laptop was stolen when an employee took it to his home in violation of agency rules.
That incident prompted the Office of Management and Budget to issue guidelines requiring information on laptops across all government agencies to be encrypted.
On Friday, the NHLBI said it would install encryption software on its laptops and conduct regular security training for its employees.
"We are going to be looking at our policy going forward," said Shurin. Shurin said she expects the encryption process to be completed by April 4.
Asked about further action NHLBI should take, Harris said the agency should strip computers of all personal data, use only a server to store information and do regular security audits. As for the 2,500 patients whose data was compromised, Harris said once the information is out there, "there is no way to put the genie back in the bottle." E-mail to a friend
All About National Institutes of Health