NHS losing yet more patient data

Carry on Data Loss?

Yet more NHS Trusts have been sent to the headmaster’s office for the slipshod way they deal with sensitive personal data.

This has been a recurrent theme this year and it would appear that the Information Commissioner is having a concerted push at NHS data security. Some might say it is like shooting fish in a barrel.

So far this year a total of 21 NHS executives in England have had to sign formal undertakings to promise to stick the letter of the Data Protection law.

The latest culprits are:

Surrey and Sussex Healthcare NHS Trust: A ward handover sheet containing the details of 23 patients was found discarded on a bus. Two computers, that were password protected, but contained the details of 80 patients were stolen from an area that was protected by three locked doors. Staff were said to have poor knowledge of the need to store data on network drives.

Royal Free Hampstead NHS Trust: A disc containing the details of 20,000 patients from the Cardiology department disappeared. The staff member responsible is said to have downloaded the data, of patients treated between 2000 and 2006 - but took five months to inform the hospital after the unencrypted disc disappeared. Where the disc is, how it was lost and exactly what it contains is unknown.

Hampshire Partnership NHS Trust: An employee attending a conference in London had their laptop stolen from the hotel. It contained the details of 349 patients and 258 staff. The laptop was not encrypted.

Epsom & St Helier University Hospitals NHS Trust: The Information Commissioner was brought in after a press report relating to the insecure handling of a  large quantity of patient records. An investigation found the records had been left in an room that was often unlocked after being moved from one site to another. Following a root cause analysis report by the Trust the Commissioner was still concerned the Trust appeared to have failed to recognise the staff training issues, equipment and resources factors, individual knowledge and skills areas, organisation and strategic issues and the question of culpability in respect of this breach.

Chelsea & Westminster Hospital NHS Foundation Trust: An unencrypted USB memory stick that held the personal data of 143 patients who attended a walk-in clinic at the hospital was stolen from an unattended and unlocked office. The memory stick belonged to the employee holding the clinic and was not password protected. The Trust employee was not aware that secure network drive and encryption facilities were available and used their own memory stick because Trust equipment was not available. It was also discovered that the Trust employee had used the memory stick and their own computer for home working.