Information Commissioner slams NHS Trust for losing USB stick on train

Patient data lost on unencrypted device

Article comments

The Information Commissioner's Office (ICO) has found East & North Hertfordshire NHS Trust in breach of the Data Protection Act after an unencrypted USB stick containing patient data was lost on a train.

A junior doctor had used the USB to record brief details of patients’ conditions and medication, and was supposed to hand it to the next doctor on shift.

However, the doctor accidentally took the USB key home, intending to forward the data on electronically, but lost the device, and a wallet, on a train.

The USB stick has not been recovered, despite the doctor informing the Trust immediately after discovering the loss.

A full investigation was launched, and enquiries by the ICO revealed that the junior doctor had not been aware of the Trust’s data protection policies. He also did not have access to email to receive policy reminders and updates.

The ICO also found that the Trust’s existing policies on the use of personal USB keys were not clear, and no technical measures were in place to prevent misuse of portable devices.

Nick Carver, chief executive of East & North Hertfordshire NHS Trust, has signed an undertaking to ensure that the Trust’s policies on portable devices are clear and communicated to all staff. Training will also be provided to all staff who have access to personal information.

Mick Gorrill, head of enforcement at the ICO, said: “Storing sensitive personal data on unencrypted data sticks is a risk trusts should not be willing to take. If it is vital to store information for handover, this must be done with the highest security measures in place.

“Furthermore, it is vital that employees are fully aware of processes which could have prevented this incident from occurring.”

Yorkshire Building Society was recently found in breach of the Data Protection Act after an unencrypted laptop was stolen from its premises.

The ICO has previously revealed that the NHS is the worst culprit for data breaches.



  • Juliette_MSC I agree with Ollie It is concerning to hear issues regarding data loss and particularly the loss of unencrypted information are not being dealt with effectively Organisations should be learning from each others mistakes especially with industries where the information is so critical and the technology is readily available Clear policies should be in place not only to protect the information but also so that employees are fully aware of procedures that they must adhere to I have recently written a blog on this regarding the likes of Yorkshire Building Society the NHS Zurich and Greater Manchester Police to read more please go to httpwwwmsc247comlatest-n
  • Ollie Hart, Sophos This story is yet another blow for the NHS As a sector it is still battling with the issues surrounding data protection understandable on one hand given the huge volume of data held by the NHS and the sheer numbers of staff using and processing that data on a day-to-day basis However securing USB devices is simple and easy to achieve and should be a basic data security principle for all public sector organisations and businesses holding and transporting public data via mobile devices Yet the loss of unencrypted USB devices continues to be one of the major sources of data breach It is particularly worrying in this latest case given the NHS focus on data protection and the history of breaches within the NHS since the highly publicised HMRC data breach in 2007It is key that other organisations holding public data do not wait until experiencing a breach themselves before acting to secure data on mobile devices Indeed organisations that are currently unable to fund or achieve protection of removable media carrying public data in the short term should seriously consider blocking the use of these devices until such a time when this can be achieved It is also of paramount importance to educate users While the right software is vital effective data protection requires much more than just putting software in place Alongside this it is key to establish the right procedures and processes to protect the data as well as educating users across the organisationIn a few weeks time when he goes before parliament it is expected that the ICO commissioner Christopher Graham will make some tough recommendations regarding the next steps for protecting the publics data and for dealing with organisations that suffer a breach We look forward to subsequent government considerationimplementation of these recommendations and to a further step change in the improvement of citizen data protection
Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *