The Information Commissioner has blamed a lack of staff training for a London hospital's loss of two unencrypted USB sticks containing patient data.
According to an undertaking published by the ICO, the South London Healthcare NHS trust mislaid two drives, the first containing the personal data of 600 maternity patients, the second medical and personal data of 33 children.
Because both drives were later found, the ICO’s concern was that the data was saved to the drives without encryption, a breach of the organisation’s data protection principles.
"Due to not having received up-to-date information on governance training the employee was unaware that an encrypted device issued by the data controller should have been used,” said the ICO.
In less severe incidents at the same trust, a junior doctor was found to have taken ward lists containing printed medical data on 122 patients out of the hospital while a separate department failed to correctly secure the files of genito-urinary outpatients.
“Without knowing more details we can’t speculate on the contents of the trust’s policy regarding the use of encrypted memory devices,” commented Nick Banks of Imation Mobile Security.
“Organisations have a responsibility to equip their staff with the appropriate technology to ensure proper data protection. Management systems can automatically block the use of non-encrypted memory devices, so the data breach in this case would have been prevented at source.”
That the ICO did not put out a formal press release on the USB stick loss is probably down to the drives being found. The likelihood is that they were not accessed during ths time, it said.
This contrasts with the case of East Surrey Hospital, which in September 2010 lost a similarly unencrypted USB stick containing the personal data of 800 patients. That device was not recovered. The institution was 'named and shamed.'