September 11, 2008

Unencrypted data of 15,000 patients stolen from Winchester GP

Another healthcare data theft also takes place in Ireland

By Leo King

---

The data of 15,000 patients has been lost after a thief stole unencrypted computer tapes from a GP surgery.

In the latest in string of patient data losses in the UK, a safe containing the back-up tapes was stolen from St Paul’s surgery in Winchester at the weekend. The tapes contained personal health information on the patients.

Hampshire Primary Care Trust, which manages NHS care in the county, said the tapes were not encrypted but instead had password protection. It said “specialised computer equipment” was needed to run the tapes, and added: “Anyone trying to read the information would ... need to have very advanced computer skills or access to a special computer programme to make any sense of it.”

The thieves were unlikely to be targeting the information, it said, but instead may have been after drugs, money or prescription pads, which were not in the safe.

The safe was stolen from a locked room. Hampshire PCT said it was writing to patients to inform them of the loss, and it has set up a phone line for anyone concerned.

“We would like to reassure patients registered at the surgery that the chances of anyone being able to do anything untoward with the tapes are very small indeed,” it said in a statement.

The crime is currently being investigated by Hampshire police.

Juergen Obermann, chief executive at data archiving firm GFT inboxx, questioned the use of tape backups at the surgery. "It's incredible that organisations continue to use archaic methods to retain sensitive information," he said.

"Clearly records need to be retained, but backing-up to tape creates an unnecessary risk. In light of this incident, organisations should look at ways to archive information electronically, mitigating the threat of this kind of data loss."

In an unrelated data loss incident in Ireland, unencrypted sensitive information on 1,150 healthcare workers has been lost when a password protected laptop, BlackBerry and data disc were stolen from a senior medical officer in the Irish Health Service Executive. The items were stolen from the officer’s home last week.

The data lost includes the name, address, date of birth, phone number, GP name and occupation of the staff, who were taking part in a survey on a flu vaccine. The staff, police and the data protection commissioner have been notified.

Deputy data protection commissioner Gary Davis told the Newstalk local radio station: “Our concern is how this type of information, revealing health information, came to be in somebody’s house in an unencrypted format.”

In the UK, NHS patients have suffered data losses in recent months. In June, two NHS trusts lost unencrypted laptops containing 31,000 patient records.

Last week, it emerged that NHS doctors in a London hospital are carrying around unencrypted patient data on USB memory sticks. But the NHS said information was typically unidentifiable.

Reports of data losses in the NHS have raised concerns over the £12.7 billion National Programme for IT, which is building a central spine of patient data accessible by NHS staff with a smartcard and passcode. In the summer, analysts said the NHS should urgently reconsider the programme, and weigh up the benefits of patients carrying their own data instead.

Newsletters

Sign up to our Weekly Round-Up for the past week’s not-to-be-missed news analysis and insight delivered straight to your inbox.