Victims in the dark after hospital loses unencrypted USB stick

A lost USB stick contained the medical details of 800 people in Surrey.

According to a report by The Crawley Observer, East Surrey Hospital had transferred patient information, such as details of operations, names and dates of birth, to the stick.

The stick was reportedly lost in September 2010 and never recovered, and the affected people were not informed.

Michael Wilson, chief executive of East Surrey Hospital, said: “We take the confidentiality of patient information extremely seriously. All staff should always use encrypted memory sticks when transferring patient data.

“It is regrettable that this didn't happen on this occasion and the member of staff has been taken through [Surrey and Sussex NHS Trust's] disciplinary procedures and has received further training.”

Terry Greer-King, UK managing director of Check Point, said: “The trust's policy is that staff should use encrypted memory sticks when transferring patient data, but in this case an unencrypted device was used, and lost.

“The incident shows that security policies do need to be enforced by solutions that automate data encryption and bar the use of unauthorised devices, so that users have to adhere to those policies. There's still a security gap to be bridged within a majority of organisations.”

Grant Taylor, UK vice president at Cryptzone, said: “Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act.

“The fact that this is a government agency that has experienced a total of ten data loss incidents, and one where the data was not recovered, is a highly questionable.

“All 800 of the affected patients have every right to feel aggrieved, especially if some of their operations were of an embarrassing nature. The way in which Surrey and Sussex Healthcare NHS Trust has made this data loss public needs thorough investigation. It is human nature to make mistakes, but this incident could have been so easily prevented through better user education and the application of widely available encryption technologies.”


Sign up to our newsletters