The Information Commissioner's Office (ICO) has stated that it is ‘highly concerned' about NHS data breaches.
The ICO reported last month that the amount of losses reported had topped 1,000, and that a third of those (305) were from the NHS. Of those, 116 were due to stolen data or hardware, 87 due to lost data or hardware, 43 were disclosed in error and 17 lost in transit.
Mick Gorrill, head of enforcement at the ICO, said: “Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients' sensitive personal information.
“We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”
The ICO further claimed that today, NHS Stoke-on-Trent and Basingstoke, and North Hampshire NHS Foundation Trust are the latest NHS bodies found to have breached the Data Protection Act. Both organisations' chief executives have signed formal undertakings outlining that they will process personal information in line with the act.
NHS Stoke-on-Trent's archive system has not recorded 2,000 paper physiotherapy records and they may have accidentally been destroyed or misfiled.
At Basingstoke and North Hampshire NHS Trust an excel spreadsheet containing 917 patients' pathology results was emailed via an unsecured address to another department. The spreadsheet was not password protected and the receiving department had no business need to have access to the excessive amount of clinical records.
Both organisations will undertake security reviews, while NHS Stoke-on-Trent will also apply physical security measures in respect of paper medical records, particularly when they are in transit.
Basingstoke and North Hampshire NHS Trust has stated that it will only extract and transfer the minimum amount of personal information necessary for any processing requirement. With immediate effect, it will encrypt all portable and mobile devices used to store and transmit personal data.
The ICO claimed that it has made full use of the most appropriate regulatory powers in the two cases, yet despite introducing £500,000 fines in April for a deliberate or malicious data breach no enforcement has been made.
BlockMaster CSO Anders Pettersson said: “The ICO should set an example to public bodies and businesses alike by issuing a monetary fine which reflects the size of the incident. By doing this, others will see that the ICO means business and that data needs to be treated with the utmost care, rather than bolting the stable door after the horse has bolted. It shouldn't take a major loss and a news scandal to push companies into action.”
Speaking to SC Magazine yesterday, Michael Cartsonis, senior manager of OEM at Blue Coat, said that there has been a move from fear of data loss to a fear of the auditor.
He said: “In the US if you have information to protect, you need to protect it. We have the Health Insurance Portability and Accountability Act (HIPAA) and you have to show a progression of information from when you are audited.
“In the US there are two states who do not have notification laws, and California has very stringent laws for the cost of a data breach, but the NHS is not as big.”