East Surrey hospital in Redhill lost an unencrypted USB stick containing the confidential records of 800 patients, the Surrey and Sussex Healthcare NHS trust has admitted in its annual report.
The loss happened in September 2010 and the stick contained details of patients’ dates of birth, names, addresses and operation details, local press with access to the document have reported. Patients were not contacted regarding the loss.
“We take the confidentiality of patient information extremely seriously,” Surrey and Sussex chief executive Michael Wilson said.
“All staff should always use encrypted memory sticks when transferring patient data. It is regrettable that this didn’t happen on this occasion and the member of staff has been taken through the Trust’s disciplinary procedures and has received further training.”
The Information Commissioner’s Office (ICO) was informed at the time of the loss and offered this response in a formal statement.
"After investigating the breach the ICO warned the organisation that their policy covering the storage and use of personal data must be followed by staff and the Trust must make sure that their staff are aware of their policy for the storage and use of personal data and are appropriately trained on how to follow it. The Trust was also warned that any repetition of such an incident may result in formal regulatory action," the ICO said.
A year ago, the ICO took a dim view of East & North Hertfordshire NHS Trust after it lost a single unencrypted USB stick on a train, which came after figures emerged from the organisation that showed that the NHS recorded the highest number of data loss incidents of any UK sector.
Earlier this year, NHS Birmingham East and North was upbraided by the ICO for showing network security poor enough to risk unauthorised access to confidential data.
One unexplained issue in the latest case is that East Surrey hospital has a policy that mandates the encryption of all removable data drives.
“The incident shows that security policies do need to be enforced by solutions that automate data encryption and bar the use of unauthorised devices, so that users have to adhere to those policies, said Check Point UK managing director, Terry Greer-King.”There’s still a security gap to be bridged within a majority of organisations.”
Further controversy will surround the hospital’s decision not to contact the patents affected by the data loss.
“Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act,” said Grant Taylor, a VP with encryption and security specialist, Cryptzone.