The Information Commissioner’s Office has found Lampeter Medical Practice to be in reach of the Data Protection Act after it reported an unsecured USB drive getting lost in the post.
The USB drive, which was unencrypted and was not password-protected, contained the personal details of 8,000 patients of the GP practice in Wales. Clinical information was not included in the database.
Against practice policy, a member of staff downloaded the patient database onto the drive in March 2010. The USB drive was then posted by recorded delivery to the Health Boards Business Service Centre, but did not arrive at the destination.
Sally-Anne Poole, enforcement group manager at the ICO, said: “It is unnecessarily risky to download 8,000 personal details on to a memory stick.
“It is imperative that staff are made fully aware of an organisation’s policy for securing personal data and any portable device containing personal information should always be encrypted to prevent it being accessed in the event of loss or theft.”
To prevent a repeat of this incident, Dr Rowena Mathew, head of practice of Lampeter Medical Practice, has signed an undertaking to ensure that all portable and mobile devices and media used to store and transmit personal data are encrypted. Staff will also be made aware of the organisation’s policy on IT security, and appropriately trained on how to follow that policy.
ICO has previously revealed that the NHS is the worst culprit for data breaches.
Pete Cubbin, COO of encryption company Stonewood, said: “With the NHS’s background, there should have been no chance whatsoever of this information being put in the post without being fully protected from prying eyes.”
This latest data loss incident comes as a survey of 238 IT security professionals, released by software provider Cyber-Ark, found that 19 percent of companies are still using couriers to send large or sensitive files. This is despite warnings given after HM Revenues & Customs (HMRC) lost a disk containing thousands of records “in transit” with an external courier in 2007.