• crazydrumguy.com
  • readblog
  • viewphotos
  • usetools
  • askme

Search

RSS Feed

Archives

  • December 2008
  • November 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007

Blogs Eric Reads

  • Wonkette
  • Think Progress
  • TPM Election Central
  • Feministing
  • TPM
  • Pandagon
  • Balloon Juice
  • 538
  • Sadly, No!
  • MyDD
  • Daily Kos
  • Eschaton

Government Loses NIH Patient Data

By Eric on March 24, 2008

Last week, government contractors broke into the presidential candidates’ passport records. Before that, Social Security numbers of visitors to federal nuclear weapons labs were stolen. A year and a half ago, the VA lost insurance data on millions of veterans and active service members. You would think that after so many incidents, the government would get better at securing personal information, right?

Wrong. They did it again.

A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years’ worth of clinical trial data, including names, medical diagnoses and details of the patients’ heart scans. The information was not encrypted, in violation of the government’s data-security policy.

NIH officials made no public comment about the theft and did not send letters notifying the affected patients of the breach until last Thursday — almost a month later. They said they hesitated because of concerns that they would provoke undue alarm.
…
“The shocking part here is we now have personally identifiable information — name and age — linked to clinical data,” said Leslie Harris, executive director of the Center for Democracy & Technology. “If somebody does not want to share the fact that they’re in a clinical trial or the fact they’ve got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here.”

The laptop contained patients’ names, dates of birth, and medical records, so nobody thought the situation warranted an immediate response:

According to a chronology provided by Dambrauskas, three offices that focus on information security within NIH and the Department of Health and Human Services were contacted within three days of the theft.

But officials did not report it to the NHLBI Institutional Review Board — whose job is to protect the well-being of patients in research — until Feb. 29, six days after the theft. That put the matter on the board’s agenda for its next meeting, on March 4, according to the board’s chairman, Alison Wichman.

“We didn’t feel that subjects were at immediate risk,” she said. “We felt that we had some time to be thorough in our evaluation. In the end, that may or may not have been appropriate.”

NIH spokesman John T. Burklow said that during the meeting, the board had “long and intense” discussions about what to do, as “there were concerns about not causing patients undue alarm.” The board nonetheless voted unanimously to ask Arai to draft a notification letter, Wichman said.

At its next meeting, on March 18, the board reviewed the letter. Two days later, it gave final approval.

Glad to see that the internal bureaucracy of NIH wasn’t disrupted by this breach of patient privacy. The one good thing that’s coming about as a result of this theft is that NIH is going to start implementing data security measures… that were issued by OMB in 2006 (PDF). Better late than never, I suppose. I wonder how many other federal agencies are noncompliant?

Tags: identity theft, NIH, OMB

Post a Comment (1)

Data Stolen from Military and Nuclear Research Labs

By Eric on December 7, 2007

You can take “protecting Americans from identity theft” and “keeping us safe from terrorism” off of the short list of things that the Bush Administration does right. Some of our veterans learned that the hard way when a VA subcontractor lost a laptop containing veterans’ names, addresses, Social Security numbers, and insurance information last August. As a rational person, you might expect that since then, the government has learned to do a better job protecting personal information,

But no. The U.S. government did it again. And this time it wasn’t a subcontractor with butterfingers who lost the data. This time, someone stole personal information from two supposedly secure U.S. science facilities.

Hackers have succeeded in breaking into the computer systems of two of the U.S.’ most important science labs, the Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Laboratory in New Mexico.

In what a spokesperson for the Oak Ridge facility described as a “sophisticated cyber attack,” it appears that intruders accessed a database of visitors to the Tennessee lab between 1990 and 2004, which included their social security numbers and dates of birth. Three thousand researchers reportedly visit the lab each year, a who’s who of the science establishment in the U.S.

All the visitor data from 14 years at just one of the two attacked labs is gone. That’s forty-two thousand Social Security numbers out in the open. Forty-two thousand identities ready to be sold on the black market to the highest bidder. And this is from visitors, not even lab personnel. How could something like that be so insecure?

You also might be wondering what kind of experiments are being done at these labs. You probably assumed that, since they’re so insecure, the work being done there can’t be that important, right?

Wrong.

The ORNL is a multipurpose science lab, a site of technological expertise used in homeland security and military research, and also the site of one of the world’s fastest supercomputers. Los Alamos operates a similar multi-disciplinary approach, but specializes in nuclear weapons research, one of only two such sites doing such top-secret work in the U.S.

Oh, so the same people who just stole thousands of American (and maybe even security-cleared) identities also might have accessed our homeland security, military, and nuclear weapons research? HOLY FUCKING FUCK! Why are any of these computer systems even accessible from the internet in the first place? Our nuclear weapons research lab must have some sort of data safeguards in place, right?

Wrong again.

Los Alamos has a checkered security history, having suffered a sequence of embarrassing breaches in recent years. In August of this year, it was revealed that the lab had released sensitive nuclear research data by email, while in 2006 a drug dealer was allegedly found with a USB stick containing data on nuclear weapons tests.

“This appears to be a new low, even drug dealers can get classified information out of Los Alamos,” Danielle Brian, executive director of the Project On Government Oversight (POGO), said at the time. Two years earlier, the lab was accused of having lost hard disks

If a drug dealer can get his hands on nuclear weapons data, who’s to say al-Qaeda can’t? The one thing that the Bush Administration has consistently pledged to do is “keep American safe from terrorism.” Apparently, they can’t even do that right anymore.

Tags: identity theft, Los Alamos National Laboratory, nuclear weapons, Oak Ridge National Laboratory, terrorism

Post a Comment (2)

Read Blog • View Photos • Use Tools • Ask Me

Powered by WordPress • Hosted by DreamHost • Created by CrazyDrumGuy © 2008