Welsh medical practice hit by ICO after losing unencrypted memory stick
The Information Commissioner's Office (ICO) has found Lampeter Medical Practice in Ceredigion, Wales, to be in breach of the Data Protection Act after it lost an unencrypted memory stick containing the personal details of 8,000 patients.
A member of staff downloaded a database containing patient details to an unencrypted and non-password protected computer memory stick in contravention of practice policy. This was then posted by recorded delivery to the Health Boards Business Service Centre in March this year.
The memory stick did not arrive at its intended destination and is now accepted to be lost. Dr Rowena Mathew, head of Lampeter Medical Practice, has agreed to take remedial action by taking sufficient steps to ensure a security breach does not occur again. This includes ensuring all mobile devices including laptops and memory sticks are encrypted and physical security measures are sufficient and making staff fully aware of the organisation's data security policy.
Sally-Anne Poole, enforcement group manager at the ICO, said: “It is unnecessarily risky to download 8,000 personal details on to a memory stick. It is imperative that staff are made fully aware of an organisation's policy for securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft. I am pleased Lampeter Medical Practice has agreed to take action to prevent a similar security breach happening again.”
The news comes just days after the ICO found West Berkshire Council to be in breach of the Data Protection Act, while the NHS was recently revealed to be the most prevalent reporter to the ICO of data breaches with 305 of 1,000 reports.
Pete Cubbin, COO at Stonewood, said: “The greatest losers in this affair are the 8,000 patients of Lampeter Medical Practice whose personal details have been exposed to whoever might pick up the missing memory stick. Relying on Royal Mail recorded delivery to keep such sensitive information safe is, quite frankly, ludicrous.
"We have been assured that measures are being taken to prevent a repeat of this; but remember that the NHS was recently singled out as the single greatest culprit in losing sensitive information, whether on patients or staff. With such a background, there should have been no chance whatsoever of this information being put in the post without being fully protected from prying eyes.”