Hillingdon Hospitals NHS Foundation Trust

Breach details

What Cancer referral forms containing sensitive clinical data found in the possession of a local newspaper.
How much Four records.
When Reported on 05 July 2012.
Why The cancer referral forms were prepared for transfer between The Hillingdon Hospital and Mount Vernon Hospital but failed to arrive through the internal mail system. Staff were aware the documents had not arrived but did not escalate the incident. It is unclear at what point the documents left the possession of the Trust and how they were acquired by the newspaper.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 07 October 2013.
Details The Trust is to implement breach reporting mechanisms and manage an escalation process if personal data does not arrive at its destination. Staff are to be made aware of all procedures and requirements.

Nursing and Midwifery Council

Breach details

What Loss of sensitive personal data (medical and details relating to legal proceedings).
How much Unspecified but small number of records including two vulnerable children’s details. Details and allegations against a medical practitioner.
When 07 October 2011
Why In an echo of the infamous HMRC breach of 2007, three DVDs containing unencrypted data relating to a ‘fitness to practice hearing’ went missing somewhere between the Nursing and Midwifery Council’s offices and the hotel where the hearing was due to take place. Although the package was sent by courier, the data on the DVDs was unencrypted.

BW Comments

Two of the fundamental lesons that every Data Controller should have learned from the HMRC breach were:

  1. Always use couriers when sending personal data on physical media.
  2. Always encrypt data on physical media such as CDs or DVDs.

Although the Nursing and Midwifery Council use a courier, the sensitive personal data was not encrypted. As soon as anything went wrong, enforcement action was bound to follow.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 150,000
When 12 February 2013

Why the regulator acted

Breach of act Breach of the seventh principle: the Council failed to take appropriate organisational measures against unauthorised processing of personal data, such as encrypting the data on the DVDs.
Known or should have known The Council was used to dealing with sensitive data and was aware of the potential damage release of the data would cause. The Commissioner also highlighted his own guidance on the encryption of portable media, dating back to 2007.
Likely to cause damage or distress The DVDs contained the medical information of third parties, including two vulnerable children. The Commissioner repeated his usual argument that data subjects would suffer from substantial distress knowing that their confidential and sensitive personal data has been disclosed to unauthorised third parties and that their data may be further disseminated and possibly misused.

BW Observations

Receiving the report of DVDs that appeared to go missing between a sender and recipient will have caused a stressful outbreak of déjà vu in Wilmslow. Although the data lost related to very few individuals, the sensitivity of the data had a bearing on the amount of the penalty. Organisations should be under no illusions that sending any unencrypted personal data on physical media will attract a monetary penalty.

Lampeter Medical Practice

What
Loss of personal data.

How much
8,000 records.

Why
Loss of an unencrypted memory stick that was posted by recorded delivery.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that any portable media devices used to store data are sufficiently encrypted and that physical security measures are put in place to prevent unauthorised access to physical data, particularly in respect to the unauthorised use of memory sticks.

Reason for action
A practical database was downloaded, without authorisation onto an unencrypted and non password protected memory stick

When
26 May 2010

Links
View PDF of the Lampeter Medical Practice Undertaking (Via ICO Website)

View PDF of the Lampeter Medical Practice Undertaking (Breach Watch Archive)

Shropshire Council

What
Loss of sensitive personal data.

How much
3,742 records.

Why
An unencrypted memory stick containing a social care management database was lost during a postal transfer from the Council’s offices to a regular contractor based in Cardiff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Databases must only contain information relevant for their purpose and the purpose of transfer. Where possible sensitive personal data should be accessed remotely or hand-delivered. All other post should be adequately tracked and protected. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
Sensitive data was transferred onto the password protected but unencrypted memory stick in breach of council procedure. The memory stick was sent in inadequately protected packaging, and contained records that were excessive for their purpose and out of date.

When
3 December 2009

Links
View PDF of the Department of the Shropshire Council Undertaking (Breach Watch Archive)

HSBC Life (UK)

What

  • Loss of personal data.
  • General lack of controls

How much

180,000 records.

Why

Loss of unencrypted CD in the post.

Regulator

FSA

Regulatory action

Monetary penalty – £1,610,000

Reason for action

Systemic organisational failings in InfoSec. No risk assessment. Repeated transmission of unencrypted data. Customer data held insecurely in office.

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Life (UK) Final Notice (via FSA website)

View PDF of the HSBC Life (UK) Final Notice (Breachwatch archive)

HSBC Actuaries and Consultants

What

Loss of personal data.

How much

1,917

Why

Loss of unencrypted floppy disk in the post

Regulator

FSA

Regulatory action

Monetary penalty – £875,000

Reason for action

  • Inadequate risk analysis/assessment.
  • Ignored instructions from HSBC group following Nationwide breach

When

17 July 2009

Links

Press release on the FSA website

View PDF of the HSBC Actuaries and Consultants Final Notice (via FSA website)

View PDF of the HSBC Actuaries and Consultants Final Notice (Breachwatch archive)