The NHS has lost four data discs containing the details of 17,990 staff.
The discs were lost in the post in July, having been sent by London-based Whittington Hospital NHS Trust to payroll IT services provider McKesson. Senior management at the trust only become aware of the problem earlier this month.
The trust said a member of staff sent the data through the post instead of by courier, breaking trust policy. The employee has been suspended.
It did not confirm if the data was encrypted, but said it was password protected and “difficult” to crack. It has begun an internal investigation and is in communication with the police and the Information Commissioner. All staff have been notified.
Data lost included the names, birthdates, national insurance numbers, pay and attendance details of staff from the trust, as well as three other trusts: Islington Primary Care Trust, Camden Primary Care Trust, and Camden and Islington NHS Foundation Trust. Whittington manages the salaries of all four trusts.
The discs did not contain bank account details.
David Sloman, chief executive at Whittington Hospital NHS Trust, said: “It is trust policy to send any such information by courier. To our knowledge this is the one and only time that such information was directed through the post. An investigation is underway with an enquiry panel taking place shortly.”
NHS patients have also been at the centre of data breaches. Last week, the data of 15,000 patients was lost after a thief stole unencrypted computer tapes from a GP surgery in Winchester.
In June, two NHS trusts lost unencrypted laptops containing 31,000 patient records.
Earlier this month, it emerged that NHS doctors in a London hospital are carrying around unencrypted patient data on USB memory sticks. But the NHS said information was typically unidentifiable.
Reports of data losses in the NHS have raised concerns over the £12.7 billion National Programme for IT, which is building a central spine of patient data accessible by NHS staff with a smartcard and passcode. In the summer, analysts said the NHS should urgently reconsider the programme, and weigh up the benefits of patients carrying their own data instead.
Ross Brewer, VP EMEA at log management supplier LogRhythm, said the breaches that have been announced are likely to be "merely the tip of the iceberg".
"Public sector organisations need to ensure that they are auditing contractors and outsourcers against defined information security policies and procedures," he said.
Geoff Martin, head of the campaign group Health Emergency, told the Evening Standard newspaper that the NHS was a "repeat offender".
"This is becoming commonplace," he said. "It really does raise some serious questions about the ability of the NHS to maintain any kind of integrity on these systems."
Find your next job with computerworld UK jobs