Stolen Laptop Containing Unencrypted Sensitive Data Prompts Feinstein Institute to Contact Affected Research Participants
A stolen laptop taken from the car of a computer programmer working at the Feinstein Institute, the research branch of the North Shore-Long Island Jewish Health System, has lead to the exposure of sensitive personal information of approximately 13,000 current and past participants in about 50 different research studies.
According to the Institute, the laptop was stolen “on or about” September 2, 2012. The announcement of the data loss was made almost two weeks later. Taking that a step further, the announcement was made on a Friday evening, a common PR tactic used when it’s time to deliver “bad news” that an organization hopes will fly under the radar.
Their reason for delayed notification? Despite extensive efforts to retrieve the laptop, “the Feinstein Institute has determined that it is unlikely the computer will be recovered and is now sending notification letters to research participants and alerting all relevant regulatory agencies.”
According to the Feinstein Institute, data stored on the stolen laptop may have included name, social security number and one or more of the following: mailing address, date of birth or medical information relating to individual’s potential participation in a research study at the Institute.
Unfortunately, while the organization said the laptop was password protected, SecurityWeek has confirmed that the sensitive data on the lost system was not encrypted.
“It was not encrypted per our protocol, which mandates that all electronic devices are encrypted so that data cannot be accessed,” a Feinstein Institute spokesperson told SecurityWeek via email Friday evening.
As anyone in the security world knows, or even someone with basic IT knowledge knows, OS-level password protection alone is about as good as a “keep out sign” on your door. Logins for password protected systems can typically be by bypassed by installing an additional instance of an operating system, loading the disk volume through another PC, booting from an external disk or USB drive, or using a variety of readily available password cracking tools.
“Although both the computer and the health information contained on the laptop were password protected, we cannot rule out the possibility that such information could be accessed,” Dr. Kevin J. Tracey, President and CEO at the Feinstein Institute for Medical Research wrote in a notification letter sent to those affected.
As a make good, The Feinstein Institute is offering one year of free credit monitoring for the participants whose social security numbers were included with information contained in the stolen laptop, and the Institute is “pursuing aggressive steps to strengthen its IT security and will engage a leading digital risk management and investigation firm to develop recommendations.”
According to the Feinstein Institute’s Web site, more than 800 scientists and investigators are conducting research in various areas at the Institute. Institute scientists collaborate with clinicians throughout the system to shed light on basic biological processes underlying disease, which is used to develop new therapies and diagnostics.
