An NHS laptop holding information on 5,123 patients has been stolen from a hospital in Dudley.
The theft occurred on 8 January in the outpatient department at Russells Hall Hospital, which is part of the Dudley Group of Hospitals NHS Trust.
The laptop held a database that contained the "limited clinical records" of 5,123 patients. The trust said the database is password and login protected, and a separate login and password was needed to operate the laptop. "Accessing patient information will therefore be difficult," said the trust in a statement.
The theft is not the first incident of data loss for the Dudley Group of Hospitals trust. In September 2007, a hard drive containing patient data was sold on eBay. In May, a laptop computer holding personal and financial information on 10,000 NHS staff was stolen from a hospital in Cornwall.
"We take precautions to try to protect all the IT equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitably practical difficulties around security," the statement continued. "Our security team work very hard to ensure the safety of our staff, patients and visitors, but it is very difficult to mitigate against all deliberate acts of theft."
Security analysts agreed that password protection is not enough to protect sensitive data.
"In these kinds of high-risk environments, always-on encryption is the minimum protection that should be applied. This can be delivered for as little as £20 per laptop, yet less than half of UK public and private companies have any data encryption deployed," said Nick Lowe, Check Point’s regional director for Northern Europe.
Sean Martin, CISSP, and vice president of marketing for SkyRecon Systems, was not surprised that data leaks are becoming a regular occurrence in the UK and said most companies are "sitting ducks".
"Despite the availability of suitable IT security solutions, companies are still not putting the necessary security measures into place. The presence of huge databases, private information stored on personal computers, and the use of mobile devices such as USB keys and laptops, have significantly increased the risks of data leakage,” said Martin.
The trust added that it has invested £135,000 into data security, which includes the roll out of data encryption software onto all its laptops and mobile devices, such as PDAs and memory sticks. However, the recently stolen device was not protected with this software.
To comply with Department of Health guidelines, the clinic is also conducting an in-depth review of the transfer of patient data and contracted a consultant to audit the Trust’s network, looking at the security infrastructure in place to ensure that systems cannot be hacked into.
The trust added that old PCs, laptops and PDAs are wiped using a degausser before disposal.