Eight NHS laptops - one with 8.6m patient records - go missing

According to a report in The Sun newspaper, the eight laptops were part of a batch of 20 stored by London Health Programmes, a medical research facility.

Eight of the notebooks, says the newspaper, have been recovered but a search is still being carried out for the other 12.

"The unencrypted laptop contains sensitive details of 8.63 million people plus records of 18 million hospital visits, operations and procedures", adds the paper.

The Sun goes on to say that, although the loss was reported as a theft it is not yet clear if the laptops - worth £10,000 each - were stolen, mislaid or dumped.

Both the police and the Information Commissioner's Office are said to be investigating the saga.

Reaction to news of the potentially serious NHS data loss was swift and condemning from the IT security vendor community.

Nick Lowe, head of Check Point Software's sales for Western Europe, said that the scale of this potential data loss drives home just how essential it is to have mandatory, strong encryption on all sensitive, personal information on laptops and portable storage devices - even if those devices are stored in supposedly secure areas within buildings.

"But according to our December 2010 survey, less than half of all UK firms encrypt their laptops - and that figure hasn’t really changed in the last three years. So data security is still being mostly left to chance", he said.

Over at ViaSat UK (formerly Stonewood) Chris McIntosh, the firm's CEO, said that regardless of whether this laptop has been stolen, lost, dumped or is simply sitting in a cupboard somewhere, the key point is that the data on it wasn't encrypted.

"When a machine contains highly sensitive information on literally millions of patients, not securing the data on it by any means possible isn't just careless: it's sheer negligence. With the value of the data on such a machine in the tens of thousands of pounds, spending a little extra on security should be a no-brainer", he said.

McIntosh, who has previously lambasted the Information Commissioner's Office for failing to penalise data breach offenders, added that the NHS unit concerned cannot claim it was ignorant of the dangers of unencrypted machines and the risks of a loss.

"It is to be hoped that the ICO acts swiftly and decisively to pass a strong message in this case and that, more importantly, the data on the laptop itself doesn't end up in the wrong hands", he said.

"If it does, innocent members of the public could find extremely sensitive, personal information that should have been strictly confidential being used against them", he added.

What’s hot on Infosecurity Magazine?