Category Archives: NHS

Eastern and Coastal Kent Primary Care Trust

Posted on by

What

Loss of personal data.

How much

1.6 million records.

Why

A filling cabinet containing records was sent to a landfill during a move, however it also contained a CD holding data on 1.6 million patients.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff receive the necessary Information Governance training and are made aware of retention and storage policies.

Reason for action

A failure of internal communication meant that the presence of the CD in the filing cabinet was not known to those disposing of it.

When

14 September 2011.

Links

View PDF of the Eastern and Coastal Kent Primary Care Trust Undertaking (Via ICO Website)

View PDF of the Eastern and Coastal Kent Primary Care Trust Undertaking (Breach Watch Archive)

London Ambulance Service NHS Trust

Posted on by

What

Loss of sensitive personal data.

How much

Unknown.

Why

Theft of unencrypted laptop from a staff member’s home.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff members are made aware sensitive personal data is not to be forwarded to personal email accounts under any circumstances.

Reason for action

Data was emailed by a staff member to a personal account and downloaded onto a personal, unencrypted, laptop.

When

07 September 2011.

Links

View PDF of the London Ambulance Service NHS Trust Undertaking (Via ICO Website)

View PDF of the London Ambulance Service NHS Trust Undertaking (Breach Watch Archive)

University Hospital of South Manchester NHS Foundation Trust

Posted on by

What

Loss of sensitive personal data.

How much

87 records.

Why

Loss of an unencrypted memory stick by a medical student.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that students are provided with sufficient training and that the security of personal data is sufficiently monitored.

Reason for action

It was assumed that the medical student had already received sufficient data protection training. Sensitive data was copied from an encrypted memory stick provided by the hospital to an unencrypted personal memory stick.

When

07 September 2011.

Links

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the University Hospital of South Manchester NHS Foundation Trust Undertaking (Breach Watch Archive)

Luton Borough Council

Posted on by

What

Discovery of flawed encryption.

How much

None

Why

A flaw in the encryption of memory sticks allowed them to be reformatted, removing the encryption.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all encryption is up to a sufficient standard.

Reason for action

Encryption was of an insufficient standard and this was only discovered during a recall of old devices.

When

02 September 2011.

Links

View PDF of the Luton Borough Council Undertaking (Via ICO Website)

View PDF of the Luton Borough Council Undertaking (Breach Watch Archive)

Northamptonshire Healthcare NHS Foundation Trust

Posted on by

What

Loss of sensitive personal data on two occasions.

How much

One record.

Why

A patient’s records had not been indexed.

Regulator

ICO

Regulatory action

Undertaking issued to ensure sufficient measures are put into place for the storage and security of physical records.

Reason for action

Not all records held by the data controller were indexed.

When

18 July 2011.

Links

View PDF of the Northamptonshire Healthcare NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the Northamptonshire Healthcare NHS Foundation Trust Undertaking (Breach Watch Archive)

Lancashire Teaching Hospitals NHS Foundation Trust

Posted on by

What

Loss of sensitive personal data.

How much

Two records.

Why

Sensitive personal information was mistakenly faxed to a member of the public on several occasions.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware of the organisations policies regarding the use and storage of sensitive data and its security.

Reason for action

The wrong number was mistakenly inserted into the fax machine.

When

1 July 2011.

Links

View PDF of the Lancashire Teaching Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the Lancashire Teaching Hospitals NHS Foundation Trust Undertaking (Via Breach Watch Archive)

Basildon and Thurrock University Hospitals NHS Foundation Trust

Posted on by

What

Loss of sensitive personal data.

How much

One record.

Why

Faxes were incorrectly sent to the wrong recipient over a period  of at least a year.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that records are transmitted to GPs in a more secure manner and a ring ahead procedure is implemented.

Reason for action

The Fax was intended for the patient’s GP, but the wrong Fax number was recorded.

When

01 July 2011.

Links

View PDF of the Basildon and Thurrock University Hospitals NHS Foundation Trust Undertaking (Via ICO Website)

View PDF of the Basildon and Thurrock University Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Dunelm Medical Practice

Posted on by

What

Loss of sensitive personal data.

How much

Two records.

Why

Two patient discharge letters were mistakenly sent to an unrelated third party organisation.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that Electronic Discharge letters are only sent by secure email, where possible and that staff are suitably trained.

Reason for action

Records were transmitted by fax and incorrect numbers were used.

When

01 July 2011.

Links

View PDF of the Dunelm Medical Practice Undertaking (Via ICO Website)

View PDF of the Dunelm Medical Practice Undertaking (Breach Watch Archive)

East Midlands Ambulance Service NHS Trust

Posted on by

What

Loss of sensitive personal data.

How much

One record.

Why

Information relating to a patient was mistakenly faxed to the wrong recipient.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are sufficiently trained in the usage of and policies relating to the fax machine.

Reason for action

The wrong number was mistakenly inserted into the fax machine.

When

01 July 2011.

Links

View PDF of the East Midlands Ambulance Service NHS Trust Undertaking (Via ICO Website)

View PDF of the East Midlands Ambulance Service NHS Trust Undertaking (Breach Watch Archive)

The Ipswitch Hospital NHS Trust

Posted on by

What

Loss of sensitive personal data.

How much

29 records.

Why

A member of staff lost patient’s records in a public place.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that personal data is kept sufficiently secure and that staff are made aware that the removal of such data without clearance is unacceptable.

Reason for action

The member of staff had recently joined the organisation and received no information governance training. This followed a similar loss of data the previous year.

When

01 July 2011.

Links

View PDF of the Ipswitch Hospital NHS Trust Undertaking (Via ICO Website)

View PDF of the Ipswitch Hospital NHS Trust Undertaking (Breach Watch Archive)