More data-security woes for the UK National Health Service, as a laptop goes missing with more than 8.6 million patient records. The ICO is no doubt incandescent, especially as the data were reportedly unencrypted.
- On the one hand, the NHS local authority says the laptop was password-protected.
- On The Other Hand, that's not exactly the same as saying the data are "encrypted." Who pays these idiots' salaries? Oh wait, that would be you and I.
John E Dunn reports:
[It's] potentially the biggest data loss disaster ever to befall the NHS. ... it appears that the machine was one of 20 that disappeared from ... NHS medical research organisation London Health Programmes ... [part of] the North Central London health authority.
[It had] details on 18 million hospital visits ... including the postcode, age, ethnic origin of the patients ... but not their names. ... Whether the laptop lacked encryption has yet to confirmed. ... Hitherto, the NHS has a fair record of data security when set against ... tens of millions of patients.
Gotcha! It was Mike Sullivan wot broke it:
It went missing three weeks ago. ... Police were said to be "dismayed" that the loss ... was not reported earlier.
The records include details of cancer, HIV, mental illness and abortions. ... The data does not include names but patients could be identified from postcodes and [other] details.
John Oates talked to the NHS:
We ... asked North Central London health board why it needed to store 8.63 million ... records on an unsecure laptop.
"One of the machines was used for analysing health needs requiring access to ... unnamed patient data. ... Our policy is to manually delete the data ... after the records have been processed. ... [We're] taking the matter extremely seriously. We have started an investigation ... [and] liaising with the office of the Information Commissioner."
And Matthew D'Arcy sought out the regulator:
A spokesman for the Information Commissioner's Office [said] they were making early enquiries ... but that further detailed comment was not available. ... "Any allegation that sensitive personal information has been compromised is concerning and we will ... establish the full facts of this alleged data breach."
The Information Commissioner has the power to impose ... penalties of up to £500,000 for serious breaches. ... Less than one per cent of cases dealt with by the ICO result in a fine.
Meanwhile, Phil Muncaster offers additional regulatory background stuff:
The NHS has been one of the worst offenders ... [it] was responsible for roughly a quarter of all incidents reported to the ... ICO last year. However, it has improved "pretty dramatically", according to former ICO head of enforcement Mick Gorrill.
The [ICO] recently issued a fine of £120,000 to Surrey County Council, its largest to date ... as it seeks to clamp down on lax data protection procedures.
Today's Skateboarding Duck...
- So, the Dalai Lama walks into a pizza shop and says, "Can you make me one with everything?"
[hat tip: Cory Doctorow]
Don't miss out on OTOH:
- Follow @richi on Twitter
- Pretend to be richij's friend on Facebook
- Catch up with posts from the previous few days
Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. His writing has previously won American Society of Business Publication Editors and Jesse H. Neal awards. A cross-functional IT geek since 1985, you can also read Richi's full profile and disclosure of his industry affiliations.