East Surrey Hospital loses details of 800 patients on an insecure USB stick

According to the Crawley Observer, the 800 affected patients were not told of the data loss, and nine other ‘near misses’ - where information was mislaid but found - were also recorded.

Chief executive Michael Wilson is quoted by the local paper as saying that the trust takes the confidentiality of patient information extremely seriously. All staff, he said, should always use encrypted memory sticks when transferring patient data.

“It is regrettable that this didn’t happen on this occasion and the member of staff has been taken through the Trust’s disciplinary procedures and has received further training”, he told the paper.

Commenting on the data loss, Terry Greer-King, Check Point's UK managing director, said that incident once again highlights the need to enforce security policies on data protection.

“The trust’s policy is that staff should use encrypted memory sticks when transferring patient data, but in this case an unencrypted device was used, and lost. “The incident shows that security policies do need to be enforced by solutions that automate data encryption and bar the use of unauthorised devices, so that users have to adhere to those policies. There’s still a security gap to be bridged within a majority of organisations”, he explained.

Over at Cryptzone, Grant Taylor, the IT threat mitigation specialist’s UK vice president, said that ever since David Smith, the deputy commissioner with the ICO revealed in April last year that the NHS is responsible for one third of data breaches reported to his office there has a been a steady stream of patient data losses reported in the media, with censures and undertakings signed by the various health trusts involved.

“But has this changed the NHS' strategy on data security? Judging from the stream of NHS data loss reports in the 18 months since the ICO Deputy Commissioner's revelations at Infosecurity Europe 2010, nothing much has changed. This is an utter disgrace”, he said.

“The sad reality is that, with around one in twelve adults employed or involved within the NHS in some way or another, it is perhaps understandable that patient data losses are going to keep on taking place. But that doesn't make them any more acceptable, nor should it detract from NHS IT security professionals' ongoing task to stop incidents like this from taking place”, he added.

Taylor went on to say that, judging from local media reports, the 800 patients' details – which included details of the names, dates of birth and, perhaps more worryingly, details of their operations – were lost in September of last year and have never been recovered.

“Had this been a private company, rather than an NHS trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act. The fact that this is a government agency that has experienced a total of 10 data loss incidents - and one where the data was not recovered – is highly questionable”, he said.

Edy Almer, vice president of product management with Safend, meanwhile, said the Surrey hospital data loss highlights the value not only of ‘prevention’ but also educating all staff.

“Encrypting all devices, including removable storage is an easy thing to do and the cost of deployment is more than counterbalanced by the ability to save on incident response. This approach leaves no `weak links' in the chain”, he said.

“This is another situation where an organisation realises a device has gone missing and then scrambles to find the data that was on the device, yet again highlighting the need to selectively block all unauthorized devices and encrypt all other devices connecting to your network in order to protect sensitive data", he added.

What’s Hot on Infosecurity Magazine?