Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Programmer’s Stolen Laptop Exposes 13,000 Individuals at Medical Research Facility

Stolen Laptop Containing Unencrypted Sensitive Data Prompts Feinstein Institute to Contact Affected Research Participants

Stolen Laptop Containing Unencrypted Sensitive Data Prompts Feinstein Institute to Contact Affected Research Participants

A stolen laptop taken from the car of a computer programmer working at the Feinstein Institute, the research branch of the North Shore-Long Island Jewish Health System, has lead to the exposure of sensitive personal information of approximately 13,000 current and past participants in about 50 different research studies.

According to the Institute, the laptop was stolen “on or about” September 2, 2012. The announcement of the data loss was made almost two weeks later. Taking that a step further, the announcement was made on a Friday evening, a common PR tactic used when it’s time to deliver “bad news” that an organization hopes will fly under the radar.

Feinstein Institute Stolen LaptopTheir reason for delayed notification? Despite extensive efforts to retrieve the laptop, “the Feinstein Institute has determined that it is unlikely the computer will be recovered and is now sending notification letters to research participants and alerting all relevant regulatory agencies.”

According to the Feinstein Institute, data stored on the stolen laptop may have included name, social security number and one or more of the following: mailing address, date of birth or medical information relating to individual’s potential participation in a research study at the Institute.

Unfortunately, while the organization said the laptop was password protected, SecurityWeek has confirmed that the sensitive data on the lost system was not encrypted.

“It was not encrypted per our protocol, which mandates that all electronic devices are encrypted so that data cannot be accessed,” a Feinstein Institute spokesperson told SecurityWeek via email Friday evening.

As anyone in the security world knows, or even someone with basic IT knowledge knows, OS-level password protection alone is about as good as a “keep out sign” on your door. Logins for password protected systems can typically be by bypassed by installing an additional instance of an operating system, loading the disk volume through another PC, booting from an external disk or USB drive, or using a variety of readily available password cracking tools.

“Although both the computer and the health information contained on the laptop were password protected, we cannot rule out the possibility that such information could be accessed,” Dr. Kevin J. Tracey, President and CEO at the Feinstein Institute for Medical Research wrote in a notification letter sent to those affected.

Advertisement. Scroll to continue reading.

As a make good, The Feinstein Institute is offering one year of free credit monitoring for the participants whose social security numbers were included with information contained in the stolen laptop, and the Institute is “pursuing aggressive steps to strengthen its IT security and will engage a leading digital risk management and investigation firm to develop recommendations.”

According to the Feinstein Institute’s Web site, more than 800 scientists and investigators are conducting research in various areas at the Institute. Institute scientists collaborate with clinicians throughout the system to shed light on basic biological processes underlying disease, which is used to develop new therapies and diagnostics.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.