A further data loss incident, involving the exposure of confidential details relating to patients by an NHS hospital, has been the subject of an investigation by the Information Commissioner’s Office (ICO), representing yet another scandal to emerge from within the health service in recent times.
The data loss occurred when a USB storage device was left on a train by a junior doctor working at the Lister Hospital in Stevenage, Hertfordshire.
According to reports, the doctor was required to hand over the drive to the person taking over when his shift ended, but he failed to do so and brought the device with him on the commute home, where at some point it was misplaced. The device was unencrypted, leaving the onboard patient data open to exploitation.
The doctor made his superiors aware of the error as soon as it occurred and this was followed up by an internal inquiry into how the loss was instigated.
In this instance the ICO identified that the doctor who was responsible for the loss had not been trained in the data handling and security measures which the NHS enforces. This was blamed partly on the fact that he was not provided with an organisation email account to which such information could have been sent.
An ICO spokesperson explained in a statement that further investigation revealed that the hospital’s policies on data protection and the implementation of non-sanctioned USB storage devices were vague. It also identified the fact that the systems would not automatically block the use of unencrypted third party devices.
The ICO’s Mick Gorrill said that no responsible organisation within the NHS should consider the use of unencrypted devices for the storage and transportation of personal data as appropriate or adequate.
Mr Gorrill pointed out that if the transferral of data via a physical device is necessary for the operation of a hospital, it must be governed by the strictest of security procedures to prevent loss or theft.
The NHS’ s Nick Carver said that the hospitals and trusts in his care in Hertfordshire will be subject to a rigorous policy review and all staff will be informed of their responsibilities when handling patient data.