A laptop computer holding personal and financial information on 10,000 UK National Health Service (NHS) staff has been stolen from a hospital in Cornwall.
The machine containing payroll data – including names, addresses and bank details – was stolen from the Royal Cornwall Hospitals trust, which hosts the payroll for NHS staff across the county. It was stolen from locked and alarmed premises in Truro, which were forcibly entered during the night on 30 April or in the early hours of 1 May.
A trust spokesperson said the laptop was password protected but was unable to say if any other security measures were in place. Security experts warned that relying on password protection and locking laptops away was "not enough" to protect sensitive data.
The trust spokesperson said the data was usually held on a server, but had been downloaded to the laptop for "a specific piece of work". She added: "From time to time information is downloaded to enable specific pieces of analysis to be done."
No patient information was stored on the computer, she said.
The trust believed the theft was "opportunistic and not for the purpose obtaining the information stored on the computer", but had advised staff to contact their banks and to consider registration with a fraud prevention service, the spokesperson added.
"Clearly, we are very sorry for any inconvenience or anxiety this may have caused staff."
The trust has launched an internal inquiry into the data security breach. The theft of the laptop is also being investigated by police.
Tim Pickard, vice president international marketing at security firm RSA said the trust's data security measures were not sufficient. "Password protection isn't enough and hasn't been enough for some time. Passwords are generally regarded as a very weak form of security."
The trust should look at its security policy and ensure that protection followed the data, he said. "It is not enough to have mobile devices locked away. The policy side needs to be looked at. Is data that travels on mobile devices having the right level of encryption, based on the fact that people do lose things, they do get stolen?"
He added: "If you attach all security to the infrastructure, then while the data is on the server it may be encrypted and access restricted. The problem comes when the data is moved around. You don't have the same security controls in place because the it's on devices.
"You need to assign security around the data itself, encrypting data to an appropriate level and managing access criteria based on the data itself."
But Pickard did praise the NHS trust for notifying affected staff speedily. "That's a positive aspect," he said. "There is a debate about breach disclosure. There is now law on this in 30 or so states in the US We need that debate here."
In March, a laptop containing names, addresses and dates of birth of 11,500 children was stolen from the offices of Nottinghamshire Teaching primary care trust. The machine was later recovered by police.
Last month the Department of Health was forced to apologise after hundreds of doctors' personal details – including home addresses, phone numbers, sexual orientation and previous convictions – were uploaded to the NHS's online application system for specialist medical training posts. The information was available online for several hours. The Information Commissioner is now investigating the breach.