Hospital Trust Criticised Over Data Record Theft

The UK’s Information Commissioner’s Office has criticised a hospital trust for a lax approach to security which allowed a laptop containing 33,000 patient records to be stolen.

In a statement released late last week, the ICO accused the Southampton University Hospitals NHS Trust (SUHT) of failing to follow data security measures laid down in the Data Protection act. “Storing large volumes of personal information on portable devices is unnecessarily risky. Why were so many records downloaded on to an unencrypted laptop in the first place? It is vital that NHS organisations ensure their staff handle personal information securely, especially where so much sensitive personal information is concerned,” said Sally-Anne Poole, head of investigations at the ICO.

The unencrypted laptop was stolen on 19 October 2009 from a hospital vehicle that was left unlocked and unattended, according to the ICO statement. The laptop contained around 33,000 password-protected patient records including details about diabetes and results of retinal screening tests. Although the machine was attached to the van with a security cable, the lock was cut by the thieves.

In response to the incident, the SUHT has committed to make sure that all portable and mobile devices are encrypted and to improve the physical security of its vehicles. “I am pleased that SUHT has taken action to guard against security breaches of this nature in future,” added Poole.

The SUHT was contacted for comment but did not reply in time for this article.

Earlier this month, the ICO was given the power to issue large fines for any serious data breaches, after gaining the approval of Secretary of State for Justice, Jack Straw. It is expected to become law on 6 April, providing there are no parliamentary objections.

Companies that fall foul of the data breach laws now risk a maximum fine of £500,000. It is not clear at this time whether the same principle applies to government departments that lose sensitive data.

In July last year the Ministry of Defence published details of its data loss incidents for 2008 which included the loss of an entire server from an apparently secured government building, and the loss of 1.7 million individuals’ personal data.