According to the information regulator, the trust lost the disk during an office move, placing at risk personal information that included names, addresses, dates of birth, NHS numbers and GP practice codes for 1.6 million patients.
The ICO says its investigations revealed that staff failed to access guidance on how to dispose of the disk and that the team responsible for the loss of the CD-ROM were "not up to date" with NHS information governance training.
During the saga, attempts were reportedly made to retrieve the filing cabinet once the mistake was realised, but by then it had already gone to the landfill and could not be recovered.
Commenting on the NHS unit censure, Chris McIntosh, CEO of ViaSat UK – who has been tracking ICO investigations and penalties for breaches of the Data Protection Act – said that, whilst the full details of how well secured the disk in question have yet to emerge, the ICO’s relatively muted reaction suggests that it may well have been protected.
But, he noted, to lose 1.6 million patients’ details in this way goes beyond carelessness and firmly into negligence territory.
“Whether the CD is lost forever or ends up in the right or wrong hands may still be unknown, but the stark fact is that the personal details of over 2.5% of the UK’s population have been lost and could possibly end up used for identity theft. In this case the ICO has decided that a civil penalty should not apply, even though this summer it singled out the NHS as treading on thin ice with data breaches”, he said.
“Yet, however often these losses happen and how often basic mantras are repeated, there are still actions that organisations have to take. All data must be encrypted in case of loss. Workers must be fully aware of what procedures need to be followed. Organisations must know exactly where their data is at all times. And if equipment is to be discarded, it might be worth checking first to see exactly what its contents are”, he added.
As reported previously, McIntosh and his team analysed more than 2,500 data breaches reported to ICO up until April of this year and concluded that the regulator needs to penalise all organisations more for data breaches.
ViaSat UK's CEO told Infosecurity at the time that, out of 2,565 reported data breaches, only 36 have been acted on to date and only four of those have resulted in penalties.
The data, he said, was supplied under a Freedom of Information (FOI) Act request and found that the ICO is only using its powers in a tiny fraction, fewer than 1 in 500, or less than 1%, of all reported data breaches.
"The problem is that the ICO doesn't release all the data it could, especially when it comes to data breaches. Furthermore, the size of the fines is laughable”, he said, adding that he concluded that, if you do get reported for a breach, then you don't tend to get prosecuted.
The solution, says McIntosh, is that the ICO needs to go after major company breaches and publicise that fact – "not all of the time, just in blatant cases."
"That way the message will get out and companies who have poor security will quickly understand what might happen."