Category Archives: NHS

Surrey and Sussex Healthcare NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
103 records.

Why
A ward hand over sheet was lost and two unencrypted laptops were stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all mobile data storage devices are sufficiently encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. All staff must be made aware of the data controller’s policy for the storage of personal data and be trained to follow it.

Reason for action
The hand over sheet was later located on a bus. The laptops were protected by three locked doors, but the investigation revealed that staff had poor knowledge of the requirement to store data relating to trust business on secure network drives.

When
3 June 2009

Links
View PDF of the Surrey and Sussex Healthcare NHS Trust Undertaking (Breach Watch Archive)

Salford Royal NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
3,500 records.

Why
An unencrypted desktop computer containing personal data was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that appropriate security measures are in place to restrict access to areas where personal data is stored. Any data held on portable media must be encrypted and only held for as long as absolutely necessary. Mandatory induction data protection training must to given to all staff.

Reason for action
The desktop computer was not secured to the desk or encrypted. Initially the incident was treated only as a loss of equipment, resulting in a delay of over one month in reporting and investigating the loss of personal data.

When
22 May 2009

Links
View PDF of the Salford Royal NHS Foundation Trust Undertaking (Breach Watch Archive)

Doncaster Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 220,000 records.

Why
An obsolete out of hours GP service voice recording server that held the personal data of patients was removed without authorisation.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that all media storage devices must be sufficiently encrypted. Adequate physical security measures must be put in place to protect such devices.

Reason for action
The obsolete server was removed by an external contractor’s engineer who installed a new server. The obsolete server was not missed until 3 weeks later when the new server failed. During this time the obsolete server was out of the Trust’s control for almost 3 weeks during which time it was briefly booted up twice. It is unlikely the clinical voice records it contained were accessed however.

When
27 April 2009

Links
View PDF of the Doncaster Primary Care Trust Undertaking (Breach Watch Archive)

Central Lancashire Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
6,360 records.

Why
An encrypted memory stick containing data relating to medical treatment was lost by a member of staff.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed and that mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the loss of the data in question. The memory stick had a “Post it” sticker adhered to it containing the applicable password for the use of the stick.

When
8 April 2009

Links
View PDF of the Central Lancashire Primary Care Trust Undertaking (Breach Watch Archive)

Hull and East Yorkshire Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 2,300 records.

Why
In the first incident an unencrypted desktop PC containing personal data relating to about 300 patients was lost during refurbishment. On the second occasion a disused unencrypted laptop containing personal relating to 2,000 patients from prior to January 2007, was stolen from a locked office.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. Personal data must not be held on any media for any longer than needed. All staff must receive adequate data protection training and be reminded of internal policies regularly.

Reason for action
The data controller did had in place policies and procedures relating to data security and the storage and transfer of equipment and data, which were not followed in either instance.

When
7 April 2009

Links
View PDF of the Hull and East Yorkshire Hospitals NHS Trust Undertaking (Breach Watch Archive)

Cambridge University Hospitals NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
741 records.

Why
An unencrypted memory stick containing the personal data of patients was left unattended in a car and found by a car wash attended to was able to access the device and establish its ownership.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed by the Trust. Mobile media devices must be encrypted to a suitable standard. All staff must receive adequate data protection training.

Reason for action
The data controller did not ensure sufficient security measures were in place to prevent the unauthorised transfer of data onto a non-trust owned, unencrypted memory stick.

When
03 April 2009

Links
View PDF of the Cambridge University Hospitals NHS Foundation Trust Undertaking (Breach Watch Archive)

Stockport NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
1,588 records.

Why
An unencrypted laptop containing sensitive personal data was stolen from a locked hospital room.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented. All such devices must be registered with the IT department. All staff must receive adequate data protection training.

Reason for action
The laptop was password protected but not encrypted. It had not been locked in a cabinet as was usual but was stored in a covered box under the desk. The laptop did not appear to have been registered with the Trust’s IT department.

When
25 March 2009

Links
View PDF of the Stockport NHS Foundation Trust Undertaking (Breach Watch Archive)

2gether NHS Foundation Trust

Posted on by

What
Loss of sensitive personal data.

How much
56 records.

Why
Four desktop computers, one laptop and a memory stick  containing sensitive personal data relating to patients were stolen from a locked room in the Trust’s building.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process physical data. Mobile media devices must be encrypted to a suitable standard and a clear policy covering the storage and use of personal data is implemented  All staff must receive adequate data protection training.

Reason for action
The laptop and memory stick were not encrypted, or locked away out of site, contrary to Trust policy.

When
24 March 2009

Links
View PDF of the 2gether NHS Foundation Trust Undertaking (Breach Watch Archive)

The North West London Hospitals NHS Trust

Posted on by

What
Loss of sensitive personal data.

How much
About 361 records.

Why
Two laptop computers were stolen and in a separate incident, a desktop computer was stolen. In both cases these devices held the personal data of patients.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of personal data being processed. All storage devices must be sufficiently encrypted. All staff must receive adequate training in order to fulfil their obligations under such policies.

Reason for action
In both cases the machines were password protected but not encrypted. In the second incident a swipe card security system that controlled entry to the building has been disabled for maintenance.

When
19 March 2009

Links
View PDF of the North West London Hospitals NHS Trust Undertaking (Breach Watch Archive)

Hastings and Rother Primary Care Trust

Posted on by

What
Loss of sensitive personal data.

How much
70 records.

Why
A desktop computer containing health data relating to a number of patients was stolen.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that the data controller take all reasonable measures to ensure the physical security of equipment used to process personal data, whether on the data controller’s premises or those of another organisation. All staff must receive adequate data protection training.

Reason for action
It is believed that the computer was stolen by an opportunistic thief who entered the building via scaffolding that was not normally in place. The data controller did not own this building, but had not taken measures to safeguard the personal data held on the premises.

When
23 January 2009

Links
View PDF of the Hastings and Rother Primary Care Trust Undertaking (Breach Watch Archive)