More patient data going AWOLPosted on May 1st, 2009 No comments
The Information Commissioner’s Office (ICO) has warned another four NHS authorities about the way slipshod way they are handling patient data. All four organisations have signed undertakings to improve.
Mick Gorrill, Assistant Information Commissioner at the ICO, said: “These four cases serve as a stark reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security.
“It is a matter of significant concern to us that in the last six months it has been necessary to take regulatory action against 14 NHS organisations for data breaches. In these latest cases staff members have accessed patient records without authorisation and on occasions, have failed to adhere to policies to protect such information in transit. There is little point in encrypting a portable media device and then attaching the password to it.
“Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them. Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands. Ultimately, the organisations risk losing the confidence of patients and their families.
“The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. These four organisations recognise the seriousness of these data losses and have agreed to take immediate remedial action.”
St Georges Healthcare, London. Six laptop computers were stolen from the hospital’s Cardiac Management Offices. The laptops held information relating to almost 22,000 patients including their name, date of birth, contact details, hospital number and brief details of the patient’s planned treatment. Due to network connection problems the patient data had been stored on laptops against the Trust’s policy and the data was not encrypted.
Cambridge University Hospital Trust. A car wash attendant found a memory stick which when plugged into a computer revealed it held data belonging to the Trust and contained personal data of 741 patients. The memory stick, which was privately owned and unencrypted, contained data relating to medical treatment and had been left in an unattended car by a staff member from the hospital. The data had been downloaded on to the memory stick without the knowledge of the Trust.
The North West Hospitals NHS Trust. Two laptop computers stolen from the Audiology department of Central Middlesex Hospital held information on 181 patients including their name, date of birth, NHS or hospital number and hearing test results. The data was not encrypted. In a separate incident a desktop computer was stolen from the Clinical Haematology offices at Northwick Park Hospital. That computer held information on 180 patients including their name, hospital number, date of birth and some clinical follow up information. At the time of the theft, the swipe card security system that controlled entry to the building had been disabled for maintenance. The database containing the personal data in question was password protected, but was not encrypted.
Hull & East Yorkshire Hospitals Trust. A desktop PC, containing details of 300 patients, was lost during refurbishment of the renal dialysis office and a disused laptop, which held the data on around 2000 cancer patients was stolen from a locked office. Both devices were unencrypted.
The individual undertakings issued by the ICO can be seen here.
Leave a reply