NHS Loses 800 Patient Records On Unencrypted USB

People may trust the NHS with their health, but they should seriously reconsider its ability to safeguard their personal data, after yet another embarrassing data breach.

It has emerged that Surrey and Sussex Healthcare NHS Trust, which runs East Surrey Hospital lost the confidential records of 800 patients on an unencrypted memory stick.

The data breach happened way back in September 2010, and according to the Crawley Observer, the lost details included patient names, operation details, and dates of birth. The lost memory stick was never recovered.

Patients Not Informed

The NHS has a long track record with losing people’s confidential data, but what makes matters worse in this particular case is that the 800 affected people were never informed their details had been misplaced.

“We take the confidentiality of patient information extremely seriously,” chief executive Michael Wilson was quoted as saying by the Crawley Observer. “All staff should always use encrypted memory sticks when transferring patient data. It is regrettable that this didn’t happen on this occasion and the member of staff has been taken through the Trust’s disciplinary procedures and has received further training.”

Meanwhile the ICO told eWEEK Europe that the case was reported to it soon after the data loss incident, but the case only came to the public’s attention when it was mentioned in the annual 2010/11 report from the Surrey and Sussex Healthcare NHS Trust.

“After investigating the breach the ICO warned the organisation that their policy covering the storage and use of personal data must be followed by staff and the Trust must make sure that their staff are aware of their policy for the storage and use of personal data and are appropriately trained on how to follow it,” said the ICO spokesperson.

“The Trust was also warned that any repetition of such an incident may result in formal regulatory action,” the ICO said.

Long Litany

While the NHS may be good at safeguarding people’s health, it has a truly shocking reputation for protecting people’s confidential data.

In early September the University Hospital of South Manchester NHS Foundation Trust was ruled to have breached the Data Protection Act (DPA) by losing sensitive personal information relating to the treatment of 87 patients. A memory stick was lost by a medical student when he copied data onto a personal, unencrypted memory stick for research purposes.

But the list of other NHS data breaches does not stop there.

In July researchers for London Health Programmes revealed that they had lost unencrypted records of 8.63 million NHS patients. And last October Healthcare Locums Plc breached the Data Protection Act when it lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.

In May 2010 a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after losing a USB stick containing patients’ medical records.

NHS Advice

The ICO has previously published a list of the 1,000 most serious data breaches reported since 2007.

It found that the NHS was responsible for 305 of the 1,007 reported breaches, almost a third of all recorded data breaches in the UK for the last three years.

In an effort to help the NHS deal with data loss, the ICO produced guidance for health organisations explaining their obligations to keep the personal information they handle secure, as well as giving advice on the security measures that must be in place.

It also carried out a number of audits with health organisations to help them identify ways in which they can improve their handling of personal information.