Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Programmer’s Stolen Laptop Exposes 13,000 Individuals at Medical Research Facility

Stolen Laptop Containing Unencrypted Sensitive Data Prompts Feinstein Institute to Contact Affected Research Participants

Stolen Laptop Containing Unencrypted Sensitive Data Prompts Feinstein Institute to Contact Affected Research Participants

A stolen laptop taken from the car of a computer programmer working at the Feinstein Institute, the research branch of the North Shore-Long Island Jewish Health System, has lead to the exposure of sensitive personal information of approximately 13,000 current and past participants in about 50 different research studies.

According to the Institute, the laptop was stolen “on or about” September 2, 2012. The announcement of the data loss was made almost two weeks later. Taking that a step further, the announcement was made on a Friday evening, a common PR tactic used when it’s time to deliver “bad news” that an organization hopes will fly under the radar.

Feinstein Institute Stolen LaptopTheir reason for delayed notification? Despite extensive efforts to retrieve the laptop, “the Feinstein Institute has determined that it is unlikely the computer will be recovered and is now sending notification letters to research participants and alerting all relevant regulatory agencies.”

According to the Feinstein Institute, data stored on the stolen laptop may have included name, social security number and one or more of the following: mailing address, date of birth or medical information relating to individual’s potential participation in a research study at the Institute.

Unfortunately, while the organization said the laptop was password protected, SecurityWeek has confirmed that the sensitive data on the lost system was not encrypted.

“It was not encrypted per our protocol, which mandates that all electronic devices are encrypted so that data cannot be accessed,” a Feinstein Institute spokesperson told SecurityWeek via email Friday evening.

As anyone in the security world knows, or even someone with basic IT knowledge knows, OS-level password protection alone is about as good as a “keep out sign” on your door. Logins for password protected systems can typically be by bypassed by installing an additional instance of an operating system, loading the disk volume through another PC, booting from an external disk or USB drive, or using a variety of readily available password cracking tools.

“Although both the computer and the health information contained on the laptop were password protected, we cannot rule out the possibility that such information could be accessed,” Dr. Kevin J. Tracey, President and CEO at the Feinstein Institute for Medical Research wrote in a notification letter sent to those affected.

Advertisement. Scroll to continue reading.

As a make good, The Feinstein Institute is offering one year of free credit monitoring for the participants whose social security numbers were included with information contained in the stolen laptop, and the Institute is “pursuing aggressive steps to strengthen its IT security and will engage a leading digital risk management and investigation firm to develop recommendations.”

According to the Feinstein Institute’s Web site, more than 800 scientists and investigators are conducting research in various areas at the Institute. Institute scientists collaborate with clinicians throughout the system to shed light on basic biological processes underlying disease, which is used to develop new therapies and diagnostics.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.