Loss of sensitive personal data.
About 220,000 records.
An obsolete out of hours GP service voice recording server that held the personal data of patients was removed without authorisation.
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Adequate physical security measures must be put in place to protect such devices.
Reason for action
The obsolete server was removed by an external contractor’s engineer who installed a new server. The obsolete server was not missed until 3 weeks later when the new server failed. During this time the obsolete server was out of the Trust’s control for almost 3 weeks during which time it was briefly booted up twice. It is unlikely the clinical voice records it contained were accessed however.
27 April 2009