An NHS laptop containing the records of more than eight million people has been reported as ‘missing'.
According to a report in The Sun, the laptop was lost three weeks ago but police were only informed this week. It was held at an NHS North Central London storeroom and is one of 20 that went missing from the storeroom. Eight have been recovered, with searches for the other 12 ongoing.
The laptop is reported as being unencrypted and contains sensitive details relating to 8.63 million people, plus records of 18 million hospital visits, operations and procedures. The data does not include names, but patients could be identified from postcodes and details such as gender, age and ethnic origin.
Chris McIntosh, CEO of ViaSat UK, said: “Regardless of whether this laptop has been stolen, lost, dumped or is simply sitting in a cupboard somewhere, the key point is that the data on it wasn't encrypted. When a machine contains highly sensitive information on literally millions of patients, not securing the data on it by any means possible isn't just careless: it is sheer negligence.
“With the value of the data on such a machine in the tens of thousands of pounds, spending a little extra on security should be a no-brainer. London Health Programmes can't claim it was ignorant to the dangers of unencrypted machines and the risks of a loss, there has been a huge focus on IT security recently, as incidents such as the Sony hacking put ordinary consumers at risk.
“Meanwhile, the Information Commissioner's Office has proven several times that it is willing to impose civil penalties on public sector organisations. It is to be hoped that the ICO acts swiftly and decisively to pass a strong message in this case and more importantly, the data on the laptop itself doesn't end up in the wrong hands.”
An ICO spokesperson said: “Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach.”
Christian Toon, head of information risk at Iron Mountain, said that the news further highlights that authorities must improve their approach to records management to correspond with the law.
He said: “Earlier this year the NHS Liverpool Community Health lost the medical histories of 31 children and their mothers during a premises move. Shortly afterwards the ICO put its foot down when the Council for Healthcare Regulatory Excellence could not find sensitive files and did not know if they had been lost or destroyed.
“All public authorities handle sensitive data and need to ensure that they have robust policies and processes in place for managing, storing and tracking information. This is not just good practice; the public have a right to expect that information about them is protected.”
Nick Lowe, head of sales for Western Europe at Check Point, said: “The scale of this potential data loss drives home just how essential it is to have mandatory, strong encryption on all sensitive, personal data on laptops and portable storage devices, even if those devices are stored in supposedly secure areas within buildings.”