Category Archives: NHS

Birmingham Children’s Hospital NHS Foundation Trust

Posted on by

What

Loss of sensitive personal information.

How much

17 records.

Why

Theft of two unencrypted laptops from the Medical Day Centre.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that additional measures are put to in place to ensure that data security policies are adhered to consistently. Any portable media must be suitably encrypted, or, if this is impossible due to the functions required, physical security must compensate for the additional risk.

Reason for action

This event followed a previously self reported security breach. The laptops were unencrypted and insufficiently secure.

When

14 July 2010

Links

Birmingham Children’s Hospital NHS Foundation Trust (Via ICO Website)

Birmingham Children’s Hospital NHS Foundation Trust (Breach Watch Archive)

Basingstoke and North Hampshire NHS Trust

Posted on by

What
Unnecessarily sharing of sensitive personal data

How much
917 records

Why
An excessive amount of data was emailed to another Trust partner via a non-secure email account

Regulator
ICO

Regulatory action
Undertaking issued to ensure that staff are given sufficient training and that only the minimum data for the intended purpose is extracted or transferred.

Reason for action
The spreadsheet containing the records was not passport protected and the department had no “business need” to have access to the clinical data.

When
15 June 2010

Links
View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Via ICO Website)

View PDF of the Basingstoke and North Hampshire NHS Trust Undertaking (Breach Watch Archive)

NHS Stoke-on-Trent

Posted on by

What

Possible loss of sensitive personal data.

How much

2,000 records

Why

Following a request for information about a patient’s medical records it was discovered that the physical paper records were not within the storage system, later enquiries revealed that about 2,000 records had not been stored

Regulator

ICO

Regulatory action

Undertaking issued to ensure that adequate physical security for physical records is provided.

Reason for action

It is believed that the records may have been accidently destroyed or misfiled. Insufficient physical security and tracking was maintained.

When

11 May 2010

Links

View PDF of the NHS Stoke-on-Trent Undertaking (Via ICO Website)

View PDF of the NHS Stoke-on-Trent Undertaking (Breach Watch Archive)

Birmingham and Solihull Mental Health NHS

Posted on by

What
Loss of sensitive personal data.

How much
A few records.

Why
A laptop storing a number of details relating to patients who had received mental healthcare within the trust, together with a number of staff records, was lost.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, retention, or disposal of personal data.

Reason for action
The laptop was stored stored in an unlocked filling cabinet in a secure, but not alarmed, office. At the time the majority of data stored on the laptop was out of data and had no business need to be retained.

When
9 April 2010

Links
View PDF of the Birmingham and Solihull Mental Health NHS Undertaking (Breach Watch Archive)

Southampton University Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
Approximately 33,000 records.

Why
An unencrypted laptop was stolen from a retinal screening vehicle.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transmit personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage, use, or disposal of personal data.

Reason for action
The vehicle was left unlocked and unattended during the theft.

When
14 December 2009

Links
View PDF of the Southampton University Hospitals NHS Trust Undertaking (Breach Watch Archive)

Great Yarmouth & Waveney Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
1,000 records.

Why
Two desktop computers were stolen from premises with minimal security.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted and password protected. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The desktop computers were both unencrypted and without password protection. The data held on these computers should have been held on a network server. The premises where the computers were stored had no intruder alarm or security locks.

When
3 November 2009

Links
View PDF of the Great Yarmouth & Waveney Primary Care Trust Undertaking (Breach Watch Archive)

Ashford & St Peter’s Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
A number of records.

Why
Three unencrypted USB memory sticks were lost or stolen over a period of several weeks between 28 May and 26 June 2009.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action

The USB sticks were unencrypted and their loss was not formally reported to the data controller’s management until after the third incident in lane June 2009. The investigation into these incidents revealed a lack of understanding and awareness among staff of the requirements of data protection legislation. It was also revealed that staff had not received any formal data protection training.

When
20 October 2009

Links
View PDF of the Ashford & St Peter’s Hospitals NHS Trust Undertaking (Breach Watch Archive)

Maidstone and Tunbridge Wells NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 33 records.

Why
An unencrypted laptop was stolen from the Audiology Department. Three other encrypted laptops belonging to the data controller had also been stolen a month prior.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that within six months any personal data held on a laptop computer or any other removable media by the data controller is identified and encrypted.

Reason for action

Sensitive data was transferred to the memory stick in breach of Council procedure and was not password protected. The employee intended to use the data to work at home, but lost it during his commute.

When
16 October 2009

Links
View PDF of the Maidstone and Tunbridge Wells NHS Trust Undertaking (Breach Watch Archive)

Glouchestershire Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 2,270 records.

Why
Six unencrypted desktop computers containing personal data relating to 2,270 patients were stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The computers were password protected but not encrypted. The patient data should have been held on a local server rather than on the hard drives of the stolen computers.

When
15 October 2009

Links
View PDF of the Glouchestershire Primary Care Trust Undertaking (Breach Watch Archive)

NHS Grampian

Posted on by

What
Loss of sensitive personal data.

How much
About 1,700 records.

Why
Three separate incidents.

  • The inappropriate distribution of an email containing sensitive personal data relating to an individual.
  • Documents containing personal data of around 200 patients and staff were taken from a confidential waste bag.
  • An unencrypted laptop containing the personal data of over 1500 patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all portable media devices used to store or transport personal data are suitably encrypted. Any personal data stored on portable devices must be backed up to the network server on a daily basis. Confirmation of success is to be obtained from the IT department and any failure corrected without delay. All staff must be made aware of the data controller’s policy for the storage and use of personal data and be trained to follow it. Physical security measures must be adequate to prevent unauthorised access to personal data.

Reason for action

  • A senior nursing manager distributing an email from another senior manager to over 50 other staff without first consulting either the sender of the data controller’s Information Governance Manager.
  • Documents were removed from a confidential waste bag held at a nursing station on the labour ward and sent to the data controller’s Chief Executive, claiming they’d been found in a skip. Investigations revealed that access to this waste could have been gained by staff, patients and even visitors. Many staff were unaware of the correct policies for disposing of sensitive waste.
  • An unencrypted laptop containing the entire database of patients suffering from a particular disease was stolen from a locked office. The laptop had not been successfully backed up to the data controller’s network server in the month prior to the theft, meaning that a small amount of this data was only stored on the laptop.
  • Finally the enquiries into these incidents revealed that certain staff were using home computers for work-related tasks involving personal data and then transferring that work via unencrypted USB sticks, in breach of the data controller’s policies and procedures.

When
3 September 2009

Links
View PDF of the NHS Grampian Undertaking (Breach Watch Archive)