Skip to content

Management

Technology

Toolbox

Training

Books

White Papers

Webcast

Resource Centre


ComputerworldUK CommunIT

Want to join the UK’s fastest growing dedicated IT community? Enter here to browse the UK’s top usergroups, societies and associations.

Public sector organisations management > government & law > news

June 19, 2008

NHS trusts lose 31,000 patient records on seven unencrypted laptops

Lack of encryption in breach of DoH policy

By Leo King

Two NHS trusts have lost unencrypted laptops containing 31,000 patient records.

Advert

A laptop containing 11,000 patient records was stolen from a GP's home in Wolverhampton. And St George’s Hospital in London has admitted that six laptops were stolen from its filing cabinets at the start of the month, containing the records of 20,000 patients.

Both data breaches break Department of Health policy that states NHS mobile devices must be protected by encryption. Neither trust has offered an explanation as to why the data was unencrypted.

The breaches follow news this week that a laptop was stolen from community secretary Hazel Blears’ office. Last week, the government lost two sensitive paper files on terrorists.

The thefts of patient records also follow comments by industry analysts that the NHS should urgently reconsider the £12.7 billion digital records system, after Fujitsu pulled out of the programme over local trust demands. Some observers suggested patients should instead carry their own smartcards with their data.

The laptop theft in Wolverhampton concerned a doctor at the Castlecroft Medical Practice. Jon Crockett, chief executive at Wolverhampton City Primary Care Trust, said he was “extremely concerned” about the theft and was investigating what had happened.

“Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security, and we are carrying out a full and urgent investigation into this incident,” he said.

The laptop was not encrypted, he said, but was protected by a “complex password system”. It contained the names, dates of birth, addresses, contact details and confidential medical records of patients.

Dr Peter Wagstaff, senior partner in the practice, apologised for the incident, and said the police believed the risk of the information being used for criminal purposes was low because the thieves targeted a range of items at the doctor’s house.

But he said the laptop could end up on the market: “It appears to have been stolen for its re-sale value, rather than for any information stored upon it.”

In the London incident, the details of 20,000 patients were stolen, including their name, date of birth and postcode. St George’s Healthcare Trust has written to every patient to apologise and explain the situation.

The trust apologised for losing the laptops, and added that it was its policy for laptops not to contain patient data.

“This was done as a temporary measure because of a problem with the computer network. However, the laptops were in a secure area under lock and key,” it said in a statement. “The data was being used to monitor and reduce waiting times at the hospital.”

It said all data was password protected and personal information such as postcode was hidden, although the patient’s name and hospital number was shown.

David Astley, chief executive at the trust, said the data “will almost certainly be wiped by the thief so he can get a quick sale.”

But he added: “Nonetheless we owe it to our patients to protect their personal information and we have reminded our staff not to store this kind of data on laptops in the future.”

Follow highlights from ComputerworldUK on Twitter
Sign up for our Daily Newsletter
The UK IT News widget Get it for your site!

« prev article | more government & law news | next article »

Advert

close

Email this article to a friend or colleague:




PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

close
  • This article is now being printed.
close

What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.


Characters remaining:

close

Click below to add 'NHS trusts lose 31,000 patient records on seven unencrypted laptops - Public sector organisations - ComputerworldUK' to your blog.



If you do not have a ComputerworldUK Account and would like to use this feature, please Register.

If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.

What is this?

Comments received

John Franks said on Thursday, 19 June 2008

A timely article: It's amazing that this keeps happening. There is a defined eCulture called "The Business-Technology Weave" that helps to influence employee behaviour as regards security, use and integrity of data. This is particularly relevant: http://www.businessforum.com/DScott_02.html . Some good stuff here too: www.david-scott.net . We use his book at work - stupid mistakes like deleted and misplaced data have dropped tremendously. Our CEO even requires our vendors to read it! I wouldn't recommend it if it wasn't making a huge difference.

Malaysia said on Tuesday, 01 July 2008

Very surprising to see such a incident in a country that has very high practice of patient rights.First it was stolen from the GP's home? I dont understand why the notebook was taken home? the content ishospital property and suppose to be under lock and key?which i would state it should have been within the hospital environment. With the tight security, in the relevant areas like Medical records department or even IT department....this could have been avoided. Thanks

Advert

WHITE PAPERS

  • Legal risks: Employee use of the internet and email
    Exploring the challenges facing IT Mangers today and vital steps to ensure safe internet an email use by employees.
  • Phishing for victims
    This White Paper examines the phenomenon of phishing. It explains the potentially catastrophic threat it presents to all kinds of organisation. Exploding some widespread myths, it lights up the murky waters where phishing first emerged and where it continues to evolve. But it also highlights what your business can do to blunt the threat.
  • Challenges and opportunities of PCI
    The control framework implicit in the Payment Card Industry Data Security Standard (PCI DSS) provides an enterprise structure for improving operational, security, and audit performance.
  • Social CRM comes of age
    Who is this “social customer”? What strategies and tools does the new breed of CRM provide to do something about this?
  • Risk Management: Protect and Maximize Stakeholder Value
    What has held organisations back from a broader adoption of risk management programs?
*