A laptop containing unencrypted medical data for 8.63 million people has reportedly gone missing from a storeroom of a health authority in London, potentially the biggest data loss disaster ever to befall the NHS.
Details of the loss, reported in The Sun newspaper, are sparse so far but it appears that the machine was one of 20 that disappeared from a store used by NHS medical research organisation London Health Programmes, run by the North Central London health authority.
Information on the laptop included details on 18 million hospital visits over an unknown period of time, including the postcode, age, ethnic origin of the patients concerned, but not their names. Harder to explain is that the machine seems not have been encrypted which suggests the data might not be current.
The health authority concerned has yet to make any statement on the matter with the Information Commissioner’s Office (ICO), whose job it will be to investigate the incident, keeping its comments to a bare minimum.
“Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach,” the ICO said in an emailed response.
Others have been more forthright.
“Regardless of whether this laptop has been stolen, lost, dumped or is simply sitting in a cupboard somewhere, the key point is that the data on it wasn’t encrypted,” said Chris McIntosh, CEO of public sector security consultancy ViaSat UK.
“When a machine contains highly sensitive information on literally millions of patients, not securing the data on it by any means possible isn’t just careless; it’s sheer negligence.”
Whether the laptop lacked encryption has yet to confirmed but if it wasn’t hard questions will be asked of the authority’s IT security policies. Best practice compliance mandates encryption on movable devices but that assumes that the presence of the data on the lost machine was allowed in the first place.
Hitherto, the NHS has a fair record of data security when set against the sheer size of the organisation and the tens of millions of patients it deals with. Last October, a Scottish health board was ticked off by the ICO after a boy found a USB stick containing patient records in a car park.
Elsewhere, the NHS has been a big investor in encryption for portable storage, with a coalition of NHS Trusts buying an encryption management system from Swedish company Safestick in 2009. A year earlier, the NHS admitted it was struggling to encrypt patient data.
If confirmed, the latest loss will still be smaller than the notorious 2007 incident when another wing of the UK state, Her Majesty’s Revenue and Customs (HMRC) managed to lose 25 million child benefit records on a stack of CDs sent through the post.