This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Another NHS trust found to be in breach of the Data Protection Act following the loss of over 100 patient records

Share this article:

Royal Wolverhampton Hospitals NHS Trust has been found to be in breach of the Data Protection Act by the Information Commissioner's Office (ICO) after the loss of over 100 patient records.

A CD, which contained scans of 112 patient records from the Intensive Care Unit of New Cross Hospital's Heart and Lung Unit, was discovered at a bus stop near the hospital and was unencrypted with no password protection.

Investigations by the Trust and the ICO were unable to ascertain exactly why or how the CD was ever made, although it was established that there were areas of weakness in the Trust's data protection procedures. This included a lack of timeliness in recalling patients' charts that had been released to consultants.

Mick Gorrill, head of enforcement at the ICO, said: “The fact that this information was several years old is of no consequence – patients' personal data should always be handled in accordance with the Data Protection Act. I am pleased that the Trust has agreed to take remedial steps to ensure such an incident does not happen again.”

The Trust has agreed to sign a formal undertaking outlining that it will now process personal information in line with the act. The Trust will implement a number of security measures to protect personal information more effectively. These include ensuring that patient charts released to consultants are signed for on receipt and chased for return after just one week. Compliance with the Trust's policies on data protection and records management will also be regularly monitored.

Kevin Bocek, director of product marketing at IronKey, said: “This is just another incident and it continues to happen at NHS Trusts. There is no new news in the NHS and with 112 patients on the CD, it is not as many as Zurich but this could be more significant.

“For those affected it is pretty significant, why was it not protected and destroyed? This is what the ICO wants to bring to light, if anything can happen then destruction is a good point. This is just another example of where IT managers could make it easy for themselves to protect data, something that the business needs to highlight.”

Dave Everitt, general manager of EMEA for Absolute Software, said: “It is a case of more records missing again, with no encryption and no password protection, If you put the processes in place then users need to be able to protect themselves. It is all about having multi-level security protections to protect customer data.”

Mark Fullbrook, UK and Ireland director at Cyber-Ark, said: “What's particularly disappointing in this case is that, with so many better-enabled devices and means of storing information, should this highly sensitive information have really been held and transported by CD? The Trust couldn't even explain how and why an unprotected CD with patient records was produced in the first place.

“It's quite clear that better controls and policies need to be enforced here. If data needs to be moved, then technology, such as some form of Governed File Transfer solution – which brings together strong encryption, authentication and monitoring, whilst ensuring data arrives on time – must be deployed in order to prevent such incidents in future.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

StubHub ticketing agency taken for a million pounds

StubHub ticketing agency taken for a million pounds

Police around the world have arrested seven people - thought to have been tied into an international fraud ring - that allegedly defrauded the eBay-owned StubHub online ticketing service of ...

DDoS attacks grow as first DIY kits emerge

DDoS attacks grow as first DIY kits emerge

The latest report from Akamai Technologies has revealed another increase in DDoS attacks and the resurgence of botnets to carry out server-based attacks.

WordPress plugin flaw opens blogs up to cybercriminals

WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.