Two NHS data loss incidents show that basic levels of security are still lacking in the healthcare sector

News by Dan Raywood

The last week has seen two more data loss incidents by NHS professionals, with both found to be in breach of the Data Protection Act by the Information Commissioner's Office (ICO).

The last week has seen two more data loss incidents by NHS professionals, with both found to be in breach of the data protection act by the Information Commissioner's Office (ICO).

Last Thursday, specialist healthcare recruitment agency Healthcare Locums (HCL) was found to be in breach of the act following the loss of personal data relating to doctors employed by the organisation. The ICO said it was first informed of the breach when HCL confirmed that a hard drive containing doctors' security clearance and visa information had been sold on an auction website before being returned to the agency.

Further enquiries established that the equipment was last recorded as being transferred from HCL's Skipton branch to its branch in Loughton earlier this year. However HCL had no inventory list for the transfer, so the organisation failed to realise the storage device had gone missing until it was reported by a member of the public. The device was eventually returned to the agency and wiped in June 2010.

Also on Tuesday this week, a doctor at North West London Hospitals NHS Trust was found to be in breach of the Data Protection Act by leaving medical information about 56 patients on the tube.

The incident, which was reported to the ICO by the trust in May 2010, occurred when a doctor printed out personal and diagnostic information about patients to use in audit work, undertaken at home outside of normal working hours. Shortly after leaving the tube station, the doctor realised the information had been left on the train and returned to inform the station supervisor. The documents were subsequently found by London Transport at the train's termination point and retrieved by the doctor. 

Sally-Anne Poole, enforcement group manager at the ICO, said: “Most of us can think of a time when we've found someone else's personal belongings, like an umbrella, left behind on a train. But the last thing we should ever expect to find are highly confidential and sensitive papers detailing people's medical history.

“We understand that many health professionals have busy lives and often take work home but simple steps like removing patient's names from print outs can help minimise the potential for personal data to be lost or otherwise compromised. I welcome North West London Hospitals NHS Trust's decision to report this breach to us and for the remedial action it has taken to put more effective data protection measures in place.”

Commenting on the HCL incident, Mark Fullbrook, director of UK and Ireland at Cyber-Ark, said: “It's difficult to know where to start with this one – the fact that the information wasn't encrypted, the fact that its transfer wasn't logged or the insecure method of transit used.

"Companies of all sizes regularly store and transfer highly sensitive information regarding their employees, but what matters most are the measures taken to protect the integrity of that data every step of the way. With that in mind, aside from a blatant disregard for the terms within the Data Protection Act, HCL's biggest failure is toward those employees that entrusted personal information to the organisation.”

Looking at the North West London Hospitals NHS Trust's doctor report, Oliver Hart, head of public sector at Sophos, said: “Today's news that a doctor left printed personal information on 56 patients on a London tube train in May 2010 is yet another blow for the NHS, which is increasingly coming under fire from the ICO for leaked data.

“With budgets being cut, the NHS must take more care to protect data held within trusts so that it can avoid paying out unnecessary penalties. There are several ways of protecting data, including the ICO's recommended approach of removing patient names from documents to sending encrypted data from one location to another.

“It is of paramount importance to educate users within the NHS of the risks of moving around patient and organisational information and how to protect such data. Having the right data protection software is vital but it also requires much more than just putting software in place. Alongside this, it is key to establish the right procedures and processes to protect the data, as well as educating users, across the organisation.”

Despite Government cuts announced this week, the privacy of citizens cannot be forgotten, according to Kevin Bocek, director of product marketing at IronKey. He said: “Over the past seven days, two incidents involving healthcare professionals show that there is still much work to be done in both the public and private sector. In both incidents, the most basic level of data protection, encrypting stored data, was not enforced.

“Unlike the more complex attacks on Britain, these incidents are simply preventable. If Government can cut over £80 billion in spending out of the system it must be able to ensure that the privacy and productivity of its citizens are protected to the most basic levels.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews