NHS Tops ICO List For Most Data Breaches

The NHS has been responsible for almost a third of all recorded data breaches in the United Kingdom for the last three years.

So says the Information Commissioner’s Office (ICO), which published a list of the 1,000 data breaches since 2007. It found that the NHS was responsible for 305 of the 1,007 reported breaches.

The private sector is a bit more responsible with data security, it seems, with 288 breaches recorded from individual companies. Meanwhile 132 breaches were recorded from local government bodies and 18 from central government.

Only last month an NHS worker in the secure mental health unit of a Scottish hospital was suspended, after he lost a USB stick containing patients’ medical records. According to local media reports, the USB stick contained unencrypted sensitive information – including the criminal histories of some violent patients at the Tryst Park unit at Bellsdyke psychiatric hospital. The stick was later found by a 12-year-old boy in the car park of an Asda supermarket in nearby Stenhousemuir.

Tough Penalties

UK companies have already been warned by the ICO to tighten up their security systems. The ICO now has the power to issue large fines for any serious data breaches, and companies that fall foul of the data breach laws, for example, now risk a maximum fine of £500,000. And if that was not enough, the ICO has recently said that it is pushing for prison sentences to be introduced for professional data thieves.

Meanwhile the latest figures from the ICO also provided an insight to the exact nature of the breaches in the NHS. Of the NHS’s 305 breaches, 116 data breaches were caused by stolen data and hardware. A further 87 were caused by lost data and hardware.

Human Error

The NHS was also not helped by the fact that 43 breaches were due to data being disclosed in error. The ICO also said that 17 NHS breaches came from information that was lost in transit, 17 from technical/procedural failure, 13 from non-secure disposal, and 12 from ‘other’ causes.

“We all know that mistakes can happen but, the fact is that human error is behind a high proportion of security breaches that have been reported to us,” said David Smith, Deputy Commissioner of the ICO. “Extra vigilance is required so that people’s personal information does not end up in the wrong hands.

“Organisations should have clear security and disclosure procedures that staff can understand, properly implement these and ensure that they are being followed by staff. Staff must be adequately trained not just in the value of personal information, but in how to protect it,” he added.

The ICO has published a Guide to Data Protection which offers advice and tips for organisation to help them secure their data and prevent wrongful disclosure. This includes checking who you are disclosing personal information to, checking that they are genuine and entitled to the personal details that they are asking for, etc.

Other advice centres around correct email protocols that should be followed, as well as physical tasks such as checking that only the name and address can be seen through an envelope window, and that screens in open areas or by windows cannot be viewed by members of the public.