By Nick Heath, 18 January 2008 14:21
NEWS
The security of information held by the NHS suffered a further blow after the loss of another 4,000 medical and personal details has come to light.
Stockport Primary Care Trust (PCT) admitted it had not informed the thousands affected after it lost their names, dates of birth and details of medical conditions in December.
The details, which also included their NHS number and details of their GPs, was on a USB drive that was dropped by an employee.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
The lapse come in the wake of the loss of hundreds of thousands of patients' records by nine NHS trusts in December.
Stockport PCT said it had searched for the missing drive but it was not found - but said it had told local GPs and the Department of Health.
Chief executive of Stockport PCT Richard Popplewell said in a statement that the drive did not have a protective cover and had been dropped on a road during a rainy day.
He said: "It is extremely likely that the data was lost in circumstances in which it would be unrecoverable.
"We did not notify the patients affected because the data lost would not be of assistance to ID fraudsters."
The details related to patients with long term conditions such as asthma and diabetes.
A spokesman for the trust said: "Steps have been taken to emphasise to staff safety when carrying personalised data and there is a full review still taking place of the incident."
The latest loss follows news that Oldham PCT had also lost two USB sticks containing the personal and care assessment details of 148 patients.
Oldham PCT is also reviewing its data security procedures following its loss, which included names, addresses and dates of birth, and is contacting patients affected.
Comments
There are 7 comments. Join the discussion
1. Karen Challinor
sorry to bang on with this particular comparison but you don't get people losing bags of money in the street
and this is because money is percieved as valuable whereas our data isn't, unless you are a market researcher or identity thief then the value is known pretty much exactly
this needs to change and quickly
and four months on from HMRC's debacle and the promised new powers for the data protection office haven't even been discussed, never mind the preparation of draft bills to go before the house
and please note I am not equating market researchers with identity thieves
2. John H Woods
Chief executive [...] Richard Popplewell said [...] the drive did not have a protective cover and had been dropped on a road during a rainy day ... "It is extremely likely that the data was lost in circumstances in which it would be unrecoverable."
And here is a picture of the 2004 Boxing Day tsunami recovered from a broken camera washed up on a beach after an extensive salt-water pummelling: http://edition.cnn.com/interactive/world/0502/gallery.tsunami.photos/frameset.exclude.html
3. Chris Goodman
Yet again data has been copied from a mainframe store onto a portable storage device.
Questions to be answered:
Why was it necessary to copy the data?
Who authorized it and, presumably, dictated the form of portable device to be used and what security was required?
Who gets the sack for failing - if the bearer had been knocked over or had an accident I can accept but otherwise it is carelessness?
The ability to copy data onto portable devices, be it CD, DVD or portable drive should be extremely limited,
4. Jeremy Wickins
I agree wholeheartedly with Chris - why are these data being moved around anyway? If there is a real need, why are they being moved unencrypted, by people so bloody careless that they can lose a usb stick? OK, we know there are some problems with sending stuff over the internet, but with VPSs there is a reasonable amount of security. Encrypt the data stongly, and there is a very small chance of the data being useful if lost. This incompetence really must stop - as Karen says, personal data are valuable, and should be treated as such.
5. Richard
Why the fuss: Just the NHS losing NHS data!
As shown by the recent announcement of "presumed consent" for organ donations, we're now all "owned" by the NHS - expect further proclamations telling us to take more care of our bodies while we have them on loan from the NHS!
So, "patient data" is simply management information used by the NHS to manage its own property:
ie. The data belongs to the NHS: No-one else has rights!
6. anonymous
John H Woods is right, modern solid state devices cna be much more robust than anyone would give them credit for.
I left a usb flash drive in my shirt pocket & the wife washed it.
A month later, I found the flash drive in the sump of the washing machine.
The contacts were corrroded, but a quick clean off & dry out & it was good as new. All the data stored on it was totally unaffected, and it is still working perfectly.
7. James Button
Financial penalties to miscreant, and management are the only way that losing, disclosing, corrupting or plain not bothering about the security and safety of data is going to really worry those able to access data.
From the original, and subsequent 'hype' probably most of teh UK public would expect the Data Protection Registrar to be actively taking action to get such financial penalties applied.
NO SUCH LUCK - while the Registrar would appear to have been charged with ensuring the propar care be taken over such data, the department? does not appear to have the teeth, or the will to take effective action.
Then again there has always ( well under recent governments) been problems in legally ascribing responsibilities to persons with authority.
Perhaps the governnment may be interested in enacting such enabling legislation, Then again, perhaps they don't want to be held responsible for happenings in organisations that they are paid to manage.