Hospital lost unencrypted USB stick despite strict security policy

Hospital lost unencrypted USB stick despite strict security policy

ICO issued private rebuke

Article comments

East Surrey hospital in Redhill lost an unencrypted USB stick containing the confidential records of 800 patients, the Surrey and Sussex Healthcare NHS trust has admitted in its annual report.

The loss happened in September 2010 and the stick contained details of patients’ dates of birth, names, addresses and operation details, local press with access to the document have reported. Patients were not contacted regarding the loss.

“We take the confidentiality of patient information extremely seriously,” Surrey and Sussex chief executive Michael Wilson said.

“All staff should always use encrypted memory sticks when transferring patient data. It is regrettable that this didn’t happen on this occasion and the member of staff has been taken through the Trust’s disciplinary procedures and has received further training.”

The Information Commissioner’s Office (ICO) was informed at the time of the loss and offered this response in a formal statement.

"After investigating the breach the ICO warned the organisation that their policy covering the storage and use of personal data must be followed by staff and the Trust must make sure that their staff are aware of their policy for the storage and use of personal data and are appropriately trained on how to follow it. The Trust was also warned that any repetition of such an incident may result in formal regulatory action," the ICO said.

A year ago, the ICO took a dim view of East & North Hertfordshire NHS Trust after it lost a single unencrypted USB stick on a train, which came after figures emerged from the organisation that showed that the NHS recorded the highest number of data loss incidents of any UK sector.

Earlier this year, NHS Birmingham East and North was upbraided by the ICO for showing network security poor enough to risk unauthorised access to confidential data.

One unexplained issue in the latest case is that East Surrey hospital has a policy that mandates the encryption of all removable data drives.

“The incident shows that security policies do need to be enforced by solutions that automate data encryption and bar the use of unauthorised devices, so that users have to adhere to those policies, said Check Point UK managing director, Terry Greer-King.”There’s still a security gap to be bridged within a majority of organisations.”

Further controversy will surround the hospital’s decision not to contact the patents affected by the data loss.

“Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act,” said Grant Taylor, a VP with encryption and security specialist, Cryptzone.



  • MikeyB Pah Tis nothing - I am a graphic designer and I once got an unencrypted stick from a printer with my artwork on it In the waste basket of said stick was 25k names and addresses of patients of a London GP practice When I tried to inform the printers Data Protection Officer they didnt know what that was let alone who I gave them a lecture on data security and securely deleted all the files - I dont use that printer any longer
Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *