NHS trust reports losses of unencrypted USB sticks
South London Healthcare NHS Trust has reported the loss of two unencrypted memory sticks among a series of data losses.
According to an undertaking, in the first incident the device contained data relating to approximately 600 maternity patients, while in the second incident, the device contained the names and dates of birth of 30 children and full audiology reports for a further three children.
In the first instance, an employee downloaded the data to a personal memory stick to do some work at home. Due to not having received up-to-date information governance training, the employee was unaware that an encrypted device issued by the data controller should have been used.
The Information Commissioner's Office (ICO) said in these incidents, the data was put at unnecessary risk by it not being encrypted, but both devices were later found and it is unlikely that they were readily accessible during the time they could not be located.
In a third incident, a junior doctor took home ward lists, containing the names, dates of birth, diagnoses, treatment plans and test results, for 122 patients. In a fourth incident, the data controller reported that some Genito-Urinary Clinic outpatient files were not locked away when not in use, although they were being stored in areas with secure access controls.
The ICO said that following consideration of the remedial action that has been taken by the data controller, it will not exercise its powers in these cases. Chief executive of South London Healthcare NHS Trust, Dr Chris Streather, has signed an undertaking to improve security of portable devices, the policies related to retention, storage and use of personal data, and physical security.
Nick Banks, vice-president of EMEA and APAC at Imation Mobile Security, said this is another example of what can happen when sensitive information is stored on unencrypted USB drives.
“Had these devices been encrypted, the information would have been inaccessible to anyone finding the device, the patient data would have remained confidential and the NHS trust could have saved itself from the scrutiny and criticism which will now inevitably follow,” he said.
“USB memory sticks are vulnerable by their very nature because they are specifically designed to be mobile, and as such there is an increased risk of them being lost or stolen. Encryption mitigates this threat by ensuring that if a device falls into the wrong hands, the data is still securely protected.
“Without knowing more details, we can't speculate on the contents of the trust's policy regarding the use of encrypted memory devices. Organisations have a responsibility to equip their staff with the appropriate technology to ensure proper data protection. This means supplying encrypted USB devices and investing in management systems to enforce policy, monitor usage and even control precisely what data may be downloaded to USB sticks. Management systems can automatically block the use of non-encrypted memory devices, so the data breach in this case would have been prevented at source.”