The Information Commissioner’s Office (ICO) has issued more warnings to NHS bodies after five Trusts have been found to breach the Data Protection Act, with one trust leaving patient notes on a bus.
The latest warnings join a long list of data protection warnings to the NHS, as the ICO once again warned hospital trusts about the importance of data security. In February, three trusts were hit with enforcement action within two weeks.
Five trusts - Royal Free Hampstead, Chelsea and Westminster, Hampshire Partnership, Surrey and Sussex, and Epsom and St Helier — have signed formal undertakings to process personal data legally in future, the ICO said on Tuesday.
In most cases, the data breach involved the loss or theft of IT equipment that contained unencrypted data.
Royal Free Hampstead NHS Trust lost an unencrypted compact disk containing the 20,000 cardiology patients’ details.
An unencrypted memory stick was stolen from the Chelsea and Westminster Hospital Foundation trust, taking with it sensitive medical information of 143 patients. The Trust believes that the information was stolen from an unlocked office that was being used as a walk-in clinic.
In arguably the most shocking case, the ICO said Epsom and St Helier University Hospital NHS Foundation trust in Surrey had been storing hospital records insecurely for two years following data being transferred between hospitals. A ward handover sheet, containing information relating to 23 patients in the care of Surrey and Sussex NHS trust, was found on a bus.
The same trust also reported the theft of two laptops, neither were encrypted.
A further laptop, also unencrypted, was stolen from an employee of the Hampshire Partnership NHS trust. The laptop held the personal data of 349 patients and 258 staff.
The NHS bodies have agreed to implement the appropriate security measures to ensure that personal details are properly protected by establishing physical safeguards, such as locking an office.
Sally-Anne Poole, head of enforcement and investigations at the ICO, said in a statement that the five cases should serve as a reminder to NHS bodies to keep patient data safe.
“Data protection must be a matter of good corporate governance and executive teams must ensure they have the right procedures in place to properly protect the personal information entrusted to them," she said in a statement.
"Failure to do so could result in patient information, including sensitive medical records and treatment details falling into the wrong hands."