Lost NHS USB drive exposes medical records

The unencrypted device was found by a 12-year-old boy and reportedly contained names, addresses and medical records of patients, including details of some patients' criminal histories.

A member of the staff at the hospital has been suspended over the incident.

In a press statement, NHS Forth Valley said: "We are very concerned to learn of this incident and are looking into it as a matter of urgency. We have clear policies in place on the safe use of portable data devices."

"We can confirm a member of staff has been suspended in connection with this incident."

Newswire reports say that the drive has since been returned.

Infosecurity notes that last month, NHS Forth Valley admitted to losing the records of patients being treated in the audiology department, which was blamed on computer failure.

Commenting on the case, Nick Lowe, Check Point's head of Western European sales said: "This incident shows yet again why data on USB drives must be encrypted at all times. Guidelines and security policies dont stop devices being lost or misplaced."

"The only way to protect data is to use mandatory encryption whenever data is moved or copied, and to ensure that users cant turn off, disable or work around that protection", he added.

Over at Credant Technologies, Sean Glynn, the IT security vendor's vice president, said: "The case is the latest in what has become a long history of NHS data losses that David Smith, the ICO's deputy commissioner, directly referred to in his keynote speech at the Infosecurity Europe show last week."

Glynn went on to say that Mr Smith had singled out the NHS for criticism on the volume of its data breaches and losses, noting that the health agency is responsible for one third of data breaches.

As the deputy information commissioner said at the London event, in most cases the ICO will record an incident but not action it, but it does take action involving large-scale breaches where there is potential harm to individuals, he said.

This, he added, is just such a case, as the NHS Scotland facility provides long-term care for adults with severe mental health problems.

Glynn went on to say that NHS Forth Valley has done the right thing and started an urgent enquiry into the incident, suspending the member of staff alleged to have lost the USB stick in question.

"It's interesting to note that the first four months of last year were a poor time for NHS data security when it was reported that the health service suffered 140 security breaches in that period", he said.

"As we said at the time, the fact that the Information Commissioner took action against 14 health trusts in the six months to April 2009, highlights the urgent need for encryption of payroll, human resource and medical records of all types", he added.

According to Glynn, the ongoing migration of medical records in many health trusts to electronic format has not helped matters, but, again, as Credant said 12 months ago, as the UK's various health entities migrate their patient records over to wholly-electronic systems, the argument for the highest level of encryption really starts to come into play.

"As we noted then, whilst it's good to hear that the Information Commissioner [was] calling for an urgent review of NHS data security, nothing much has changed - we're still seeing entirely unnecessary data breaches like this", he said.

"We reiterate our suggestion that there needs to be a NHS technology czar to oversee the process. The technology required to protect data on laptops and removable media is available in the market today, is not particularly difficult to deploy, and can immediately mitigate these risks. If the NHS doesn't move quickly to fix its grass roots security processes, these data leaks will carry on happening", he added.

"It's now time for the ICO to act and push for the appointment of an NHS technology czar to oversee data security issues at all levels - and taken action against those health bodies that fail to protect their patient's data."

What’s Hot on Infosecurity Magazine?