News of another significant data loss has emerged from sources at the Information Commissioner’s Office (ICO), with over 8000 people believed to have been affected after an incident at a medical practice in Wales.
An entire database detailing the 8000 residents covered by the Lampeter Medical Practice was transferred from central systems over to a USB drive by an employee. The drive was then put in the post for transport without any kind of encryption in place to ensure the protection of the data that it contained.
The intended recipient at the Heal Board’s Business Service Centre never received the USB drive and the ICO was informed that the drive was now considered lost. This despite the fact that the sender had paid for recorded delivery, which most would assume to be the best guarantee of getting a package from one place to the other without interference.
The ICO criticised the medical practice because of the fundamentally insecure method of posting sensitive data in order to transfer it from one place to another.
The ICO’s Sally-Anne Poole said that the organisations involved need to do more to raise awareness as to the dangers facing them in relation to data security, with the prevention of loss and embarrassment only possible if regulations were followed and portable storage devices properly encrypted.
In accordance with ICO policy, Dr Rowena Mathew, manager of the practice, has signed an undertaking which requires her to set out mandatory plans to roll out encryption across any other portable storage devices that the practice owns and uses. Staff are also to receive additional training in order to ensure that they understand the ways in which portable storage can be used responsibly and safely, and indeed the ways in which it can be a major weakness.
This data loss is the latest in a long line of incidents which some think prove that the NHS is still not facing up to the potential risks. The ICO’s statistics show that various branches of the organisation have been responsible for more data loss scandals than any other sector or group of businesses, with many calling for significant, grass roots changes including online data storage and handling.
