Security tightened over data loss

http://news.bbc.co.uk/go/rss/-/1/hi/england/cambridgeshire/8027709.stm

Version 0 of 1.

A hospital trust in Cambridgeshire has been ordered to tighten security after a memory stick with medical treatment details of 741 patients went missing.

Cambridge University Hospital NHS Foundation Trust, which runs Addenbrooke's Hospital, was found to be in breach of the Data Protection Act.

The Information Commissioners Office (ICO) said the stick was later returned to the hospital.

The ICO said the Trust has signed an agreement to improve security.

In a statement the ICO said the Trust reported the loss of an unencrypted memory stick containing treatment details "after a member of staff left it in an unattended vehicle" towards the end of last year.

Other ICO cases revealed Central Lancashire Trust lost an encrypted memory stick with details of 6,360 prison patients of HMP PrestonThe North West London Hospitals Trust reported the theft of computers containing the details of test results of 361 patients.Hull and East Yorkshire Hospitals Trust reported the loss and theft of computers containing details of 2,300 patients.

The memory stick, which was privately owned, was discovered by a car wash attendant who was able to access the contents to establish ownership and returned it to the Trust.

Three other health trusts have also been found to have breached the Data Protection Act: Central Lancashire Primary Care Trust, North West London Hospitals NHS Trust and Hull and East Yorkshire Hospitals NHS Trust.

All four have all signed formal undertakings outlining that they will process personal information in line with the Data Protection Act.

'Stark reminder'

The organisations will implement a number of security measures to protect personal information more effectively, said the ICO.

With immediate effect, all portable and mobile devices used to store and transmit personal data will be encrypted.

ICO assistant information officer Mick Gorrill said: "These four cases serve as a stark reminder to all NHS organisations that sensitive patient information is not always being handled with adequate security.

"In these latest cases staff members have accessed patient records without authorisation and on occasions, have failed to adhere to policies to protect such information in transit.

Theft of laptops

"The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure."

A spokesman for Addenbrooke's Hospital said: "Following an investigation, it became clear that the information contained on the memory stick was only looked at by the car wash attendant before returning it to the hospital.

"The Trust was therefore satisfied that patient confidentiality was not compromised.

"Our staff are constantly being reminded of their duty to protect confidential patient data and not to leave data unattended or unprotected."