First it was the Department of Veterans Affairs. Then, the Internal Revenue Service. Now, the National Institutes of Health is the latest federal agency that failed to encrypt laptop computers containing sensitive private information.

The recent theft of a laptop that had medical test results for 2,500 patients in an NIH heart imaging study shows that the government is still not guarding private information, despite new rules, privacy specialists say.

"The issue isn't so much with the policy; it's with the policy being followed in practice," said Joy Pritts, a Georgetown University researcher who specializes in health care privacy.

The laptop was reported stolen from Dr. Andrew E. Arai's locked car trunk Feb. 23, but the National Heart, Lung and Blood Institute alerted patients to the data theft only last week.

Their names, birth dates and test results from an ongoing heart imaging study were not encrypted because the agency hadn't gotten around to securing Arai's laptop, said Dr. Susan Shurin, the institute's deputy director. Officials said there was a delay in informing patients of the breach of confidential information because it wasn't initially clear that the laptop held personal information.

"This justifies a hard look at the whole system as well as the individual," said Shurin, who said the institute had begun checking every laptop for encryption and reminding staff to avoid keeping private information on laptops unless necessary.

Click to read more...