It has been revealed that East Surrey hospital in Redhill have lost an unencrypted USB memory stick that contains confidential records of 800 patients. The data loss was revealed in the Surrey and Sussex Healthcare NHS trust annual report which stated that it had occurred in September 2010. Local press who have access to this document reported that the unencrypted USB memory stick contained information regarding patients’ dates of birth, names, addresses and operation details. The hospital decided not to take up the option of informing the affected patients of this loss.
Surrey and Sussex chief executive Michael Wilson said “All staff should always use encrypted memory sticks when transferring patient data. It is regrettable that this didn’t happen on this occasion and the member of staff has been taken through the Trust’s disciplinary procedures and has received further training.”
An unexplained issue regarding this data loss is that the hospital has a policy in place that demands that all data being kept on removable data drives should be encrypted. This case shows a clear sign of negligence and raises concerns over how much data is being transported without being encrypted beforehand
The Check Point UK managing director, Terry Greer-King stated “The incident shows that security policies do need to be enforced by solutions that automate data encryption and bar the use of unauthorised devices, so that users have to adhere to those policies.”
This isn’t the first time and most probably will not be the last time that data from hospitals is lost, compromising sensitive and confidential data belonging to hundreds of patients. Only last year, an unencrypted USB stick belonging to the East & North Hertfordshire NHS Trust which contained details of patients conditions and treatments was carelessly lost on a train by a junior doctor.
This latest case isn’t good reading for those involved in the NHS as The Information Commissioner’s Office (ICO) released figures in 2010 showing that the NHS recorded the highest number of data loss incidents of any UK sector.
It is very clear that the NHS Trusts have been treated very leniently regarding incidents of data loss and have managed to avoid the punishments and sanctions that private companies face if such incidents occur.
Grant Taylor, a VP with encryption and security specialist, Cryptzone stated “Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act.”