Doncaster Primary Care Trust

What
Loss of sensitive personal data.

How much
About 220,000 records.

Why
An obsolete out of hours GP service voice recording server that held the personal data of patients was removed without authorisation.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Adequate physical security measures must be put in place to protect such devices.

Reason for action
The obsolete server was removed by an external contractor’s engineer who installed a new server. The obsolete server was not missed until 3 weeks later when the new server failed. During this time the obsolete server was out of the Trust’s control for almost 3 weeks during which time it was briefly booted up twice. It is unlikely the clinical voice records it contained were accessed however.

When
27 April 2009

Links
View PDF of the Doncaster Primary Care Trust Undertaking (Breach Watch Archive)