An NHS trust has been hit by enforcement action by the Information Commissioner's Office following the theft of two laptops containing patient data.
Brent Teaching Primary Care Trustwas found to have breached data protection laws, after two laptops were stolen containing the personal information of 389 patients.
The laptops were stored in a locked office, but were left out on a desk in breach of the PCT’s own security procedures. What's more, the laptops were not encrypted and contained sensitive information, including health details relating to some patients.
The Information Commissioner’s Office (ICO) has taken enforcement action against two other trusts in the last fortnight - Abertawe Bro Morgannwg University NHS Trust and Tees, Esk and Wear Valleys NHS Foundation Trust – in breach of the Data Protection Act.
The ICO has required all three trusts to sign a formal undertaking agreement that they will encrypt all data in future and improve security in line with the Data Protection Act.
The trusts will also be required to ensure staff are adequately trained.
"Whilst the number of people affected was relatively small, some people’s sensitive health information was contained on the stolen laptops," said Mick Gorrill, assistant commissioner at the ICO.
"I am increasingly concerned about the way some NHS organisations are transferring sensitive records onto laptops and other mobile devices that are not encrypted. Organisations need to ensure they implement appropriate safeguards to ensure personal details about patients are processed securely.”
Abertawe Bro Morgannwg University NHS Trust in Wales was found to have breached data protection laws after an unencrypted computer containing the sensitive personal data of approximately 5,000 patients, was stolen from an unlocked office.
Meanwhile, Tees, Esk and Wear Valleys NHS Foundation Trust, a trust in the north of England, was also reprimanded by the ICO for losing a data stick containing information on patients and staff.
Failure to meet the terms of the formal undertaking is likely to lead to further enforcement action by the ICO.