An unencrypted USB stick was lost on a train by a junior doctor after he recorded details of patients' conditions and medication in order to work from home.
The doctor from East & North Hertfordshire NHS Trust intended to hand the stick to another doctor, but accidentally took it home intending to forward the data electronically and lost the unprotected device on a train. The stick has not yet been recovered.
This has led to East & North Hertfordshire NHS Trust being found to be in breach of the Data Protection Act by the Information Commissioner's Office (ICO), whose enquiries found that the doctor had not been aware of the Trust's data protection policies and did not have access to email to receive policy reminders and updates.
The doctor informed the Trust immediately after discovering the loss and a full investigation was conducted. It was also discovered that the Trust's policies on the use of personal USB sticks were not clear and no technical measures were in place to prevent misuse of portable devices.
Nick Carver, chief executive of East & North Hertfordshire NHS Trust signed an undertaking agreeing to take a series of steps to ensure that the Trust's policy on the use of portable devices is clear and communicated to all staff. The Trust has also agreed to provide training for all staff who have access to personal information.
The Undertaking also requires the Trust to regularly monitor for compliance with security procedures and to implement appropriate safeguards to prevent a similar breach in the future.
Mick Gorrill, head of enforcement at the ICO, said: “Storing sensitive personal data on unencrypted data sticks is a risk Trusts should not be willing to take. If it is vital to store information for handover, this must be done with the highest security measures in place.
“Furthermore, it is vital that employees are fully aware of processes which could have prevented this incident from occurring. I am pleased that the Trust has agreed to take practical and effective steps to ensure such an incident does not occur again.”
Anders Pettersson, CSO of encrypted USB provider BlockMaster, said: “A secure USB solution would have provided the NHS Trust with full confidence that data is secure at all times and that it has not been tampered with, providing full accountability on all user actions. Unsecure USB drives spread malware, offer no protection and expose stored data to anyone, posing a high security risk to organisations using them.
“However, I would commend the actions of the junior doctor who showed great responsibility and judgment when reporting the loss. After all, how many unreported incidents such as this have occurred over the years? Although blame inevitably falls at the door of the person who loses data, it is still the responsibility of the ICO to take a stand and enforce policies, best practice – and if necessary - fines in order to lead by example in the constant battle to eliminate data loss.”
Chris McIntosh, CEO of Stonewood, said: “Whoever picks up the missing memory stick, the greatest losers are the patients whose personal information might be exposed. We have been assured that measures are being taken to prevent a repeat of this; but there should have been no chance whatsoever of this information being unprotected from prying eyes in the first place.
“It is not enough for governments and other bodies to insist that data is not stored on an unencrypted device. Similarly, while organisations as a whole may know the value of encrypted data, it is imperative that not only do the workers know this but that controls are put in place to ensure that there is no way for information to be saved on unencrypted storage at any point in the first place.
“Organisations that have been dragging their heels must finally implement watertight encryption and data protection policies and technology, protecting themselves without simply passing the buck onto their workers. Encrypting personal data in this way needs to be routine: otherwise, health services and other organisations will have to resign themselves to the consequences of the next, inevitable data loss.”
Kevin Bocek, director of product marketing at IronKey, said: “Unfortunately, this latest breach continues a trend: hardworking staff are required to work outside the office, but by doing so they're endangering their organisation and those that entrust them with their personal details. Surely IT and data protection officers can't put their heads in the sand forever and keep pinning their hopes on training employees.
“While training and awareness are important, staff need technology that protects data without them having to worry about these types of incidents occurring. Education won't stop mistakes like this. Managed portable storage encryption would have made this incident a non-issue: the data would be protected, any attempt to use it would be logged, IT administrators could remotely wipe the device.”