The Information Commissioner’s Office (ICO) has become involved in another data loss scandal involving an NHS trust, this time located in Wolverhampton.
The Data Protection Act (DPA) was breached by the Royal Wolverhampton Hospitals NHS Trust after it emerged that more than 100 patients had their details exposed in a moderately serious data loss incident.
An optical media disc containing details of scans taken from a total of 112 patients who had visited intensive care at New Cross Hospital went astray and was discovered by a member of the public at a bus stop.
The missing disc was not protected in any way, with no password or encryption on-board to keep the personal data out of reach of malicious third parties.
The ICO and investigators from within the trust could not discover the reason for the loss, or indeed the purpose of the disc’s existence in the first place. However, vulnerabilities in data protection and usage policy within the trust have been made apparent.
The ICO’s Mick Gorrill said that the data contained on the disc related to cases from several years ago, but pointed out that any loss of patient data should be considered as serious, disregarding the age of the information. He added that an agreement to improve data protection policy within the trust had been forged.
Managers at the trust have committed to follow the rules of the DPA to the letter in the future and they have also agreed to allow the ICO to monitor the manner in which they protect and handle patient data for an undisclosed period.
Security experts have criticised the NHS for its continuing inability to secure patient data, together with its usage of unencrypted portable media which is one of the common drivers behind data loss in the NHS and other organisations.
Protecting customer and patient data requires a multi-tiered approach to ensure total security, according to Absolute Software’s Dave Everitt. He added that simple password and encryption systems could allow users to protect data with ease.