Doctors’ Personal Data Sold Online

The healthcare industry continues to live up to its reputation for suffering the most data breaches after the Information Commissioner’s Office (ICO) found Healthcare Locums Plc (HCL) in breach of the Data Protection Act (DPA).

HCL, which is a specialist healthcare recruitment agency, lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.

The issue came to light when the HDD was returned to HCL by a member of the public after it had been sold on an online auction website.

Missing In Transit

It seems that the HDD had gone missing whilst it was being transferred from HCL’s Skipton branch to its branch in Loughton earlier this year. But as no inventory list had been created for the transfer, HCL failed to realise the storage device had gone missing until it was reported by a member of the public.

“This breach highlights the importance of making sure personal information is transported in a way that complies with the Data Protection Act,” said Sally Anne-Poole, Enforcement Group Manager at the ICO in the ruling. “I am pleased that Healthcare Locums is taking remedial steps to make sure incidents like this one do not happen again.”

Meanwhile, Mo Dedat, Chief Operating Officer of Healthcare Locums Plc, has signed a formal undertaking outlining that the organisation will ensure contracts are put in place between the organisation and any contractors it uses to process personal data on its behalf. It will also ensure that itineraries of equipment used to process personal data are maintained and updated in order to ensure any similar incidents are detected quickly and handled appropriately.

The loss of storage media is unfortunately commonplace nowadays. For example, in early September a memory stick said to contain anti-terror training manuals was discovered outside a Manchester police station. In May, a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after he lost a USB stick containing patients’ medical records.

Other recent breaches include DSG Retail Ltd, (the owner of PC World), being slapped over the wrist by the ICO after eight completed customer credit agreements containing personal and financial details were discovered in a skip outside one of its PC World stores.

Still No Fines

Despite numerous other examples, the ICO has yet to issue any fines. In June, for example, the ICO published a list of all the data breaches reported since 2007. Of the 1,007 reported breaches, the NHS was responsible for 305.

The ICO has previously warned businesses that if they do not own up to data breaches, they will face tougher action than those that come forward of their volition. Companies that fall foul of data breach laws risk a maximum fine of £500,000 under powers granted to the ICO in January this year.