Healthcare Locums PLC (HCL)

Posted on by

What

Loss of personal information .

How much

Unknown.

Why

A Network Storage device containing records relating to doctors employed by the data controller was lost or stolen in transit during a move and was sold on eBay. It was eventually recovered.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that contracts are put in place between the Data controller and any contractors it uses to process personal data on its behalf, who must be sufficiently checked. Sufficient physical security measures must be implemented and records of data contained on physical media must be kept.

Reason for action

Neither the network storage device or the personal data contained within it were encrypted. No inventory of equipment being transported was taken and therefore the loss/theft of the device went unnoticed until the eBay buyer contacted the Data controller.

When

14 October 2010

Links

View PDF of the Healthcare Locums PLC Undertaking (Via ICO Website)

View PDF of the Healthcare Locums PLC Undertaking (Breach Watch Archive)

Forth Valley NHS Board

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

An unencrypted and non-password protected memory stick containing sensitive personal data was handing in to a newspaper.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that any board issued portable media devices are sufficiently encrypted and that sufficient physical security measures are taken.

Reason for action

It was unclear how the memory stick ended up in the possession of the Newspaper, but it was unencrypted and not password protected.

When

30 September 2010

Links

View PDF of the Forth Valley NHS Board Undertaking (Via ICO Website)

View PDF of the Forth Valley NHS Board Undertaking (Breach Watch Archive)

East & North Hertfordshire NHS Trust

Posted on by

What

Loss of sensitive personal information.

How much

Unknown.

Why

Loss of an unencrypted USB stick.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller’s policy for the use of portable media and storage and use of personal media is clarified and all staff are made aware of its provisions .

Reason for action

The unencrypted USB stick had not been issued by the data controller.

When

20 September 2010

Links

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Via ICO Website)

View PDF of the East & North Hertfordshire NHS Trust Undertaking (Breach Watch Archive)

Yorkshire Building Society

Posted on by

What

Loss of personal information.

How much

A “substantial” number.

Why

Theft of an unencrypted laptop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all portable media devices are sufficiently encrypted and that appliance with IT security policies is appropriately and regularly monitored.

Reason for action

The laptop was unencrypted and, contrary to policies and procedures the manager had written down passwords and left these and the laptop under his desk overnight.

When

26 August 2010

Links

View PDF of the Yorkshire Building Society Undertaking (Via ICO Website)

View PDF of the Yorkshire Building Society Undertaking (Breach Watch Archive)

DSG Retail

Posted on by

What

Loss of personal information.

How much

Over 100 records.

Why

Paperwork related to credit agreements was found in a skip near the premises.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that the data controller will review its security measures and implement any necessarily security and monitoring measures.

Reason for action

The documents related to transactions two years prior and had been retained beyond the period specified in the data controller’s procedures. The normal procedure for disposing such documents (sending them to a central facility for secure shredding) had not been followed.

When

25 August 2010

Links

View PDF of the DSG Retail Undertaking (Via ICO Website)

View PDF of the DSG Retail Undertaking (Breachwatch Archive)

Zurich Insurance Plc (Zurich UK)

Posted on by

What

Loss of personal information including bank and credit card details and details of insured properties.

How much

46,000 records.

Why

Unencrypted backup tape lost by Data Processor.

Regulator

FSA

Regulatory action

Monetary penalty: £ 2,275,000

Reason for action

Zurich did not audit data processor (a Group company in South Africa) and relied on group policies procedures and controls rather than managing the outsourced relationship as with a normal data processor.

When

24 August 2010

Links

View the press release relating to Zurich Insurance on the FSA website

View PDF of the Zurich Insurance Final Notice (via FSA website)

View PDF of the Zurich Insurance Final Notice (Breachwatch archive)

Royal Wolverhampton Hospitals NHS Trust

Posted on by

What

Loss sensitive of personal information.

How much

112 records.

Why

An unencrypted CD containing scans of patients’ records was found at a nearby bus stop.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and trained in the data controller’s policies for the storage and management of data. Patient charts released to consultants are to be signed for on receipt and are to be chased for return within a week and weekly thereafter.

Reason for action

The CD was unencrypted and not password protected. The patient charts it contained were several years old. It was unclear how exactly the CD had came to be made. Any patient charts released to consultants would not be chased for return for a month.

When

19 August 2010

Links

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Via ICO Website)

View PDF of the Royal Wolverhampton Hospitals NHS Trust Undertaking (Breach Watch Archive)

The Children’s Mutual

Posted on by

What

Loss of sensitive personal information.

How much

One record.

Why

An annual account statement was accidently sent to an incorrect address.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff with access to personal data are made aware of policies regarding its storage and use and that regular reports shall be run in order to identify any address mismatches.

Reason for action

Enquiries revealed that the data controller had not implemented adequate reporting procedures to identify these sorts of discrepancies.

When

19 August 2010

Links

View PDF of the Children’s Mutual Undertaking (Via ICO Website)

View PDF of the Children’s Mutual Undertaking (Breach Watch Archive)

Direct Response Security Systems

Posted on by

What

Breach of the Privacy and Electronic Communications Act

How much

Why

Making of unsolicited marketing calls.

Regulator

ICO

Regulatory action

Enforcement notice issued to ensure that the numbers of any subscribers who have declared that they do not wish to receive marketing calls are suppressed and that a line data is checked against the TPS list every 28 days.

Reason for action

Each of the individuals who complained about the calls from Direct Response Security Systems Limited had already stated that they did not wish to receive such calls, yet continued to receive them.

When

19 August 2010

Links

View the Direct Response Security Systems Enforcement Notice (Via ICO Website) 

Birmingham Children’s Hospital NHS Foundation Trust

Posted on by

What

Loss of sensitive personal information.

How much

17 records.

Why

Theft of two unencrypted laptops from the Medical Day Centre.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that additional measures are put to in place to ensure that data security policies are adhered to consistently. Any portable media must be suitably encrypted, or, if this is impossible due to the functions required, physical security must compensate for the additional risk.

Reason for action

This event followed a previously self reported security breach. The laptops were unencrypted and insufficiently secure.

When

14 July 2010

Links

Birmingham Children’s Hospital NHS Foundation Trust (Via ICO Website)

Birmingham Children’s Hospital NHS Foundation Trust (Breach Watch Archive)