Another NHS Trust found guilty of data breach

The lost CD was unencrypted and had no password protection

Yet another NHS Trust has been found in breach of the Data Protection Act (DPA) after it lost sensitive patient records stored on an unencrypted CD.

Data protection watchdog the Information Commissioner’s Office (ICO) explained that the Royal Wolverhampton Hospitals NHS Trust lost a CD containing over 100 records from the Intensive Care Unit of New Cross Hospital’s Heart and Lung Unit.

The CD, which was unencrypted with no password protection, was found at a bus stop near the hospital.

The Trust and the ICO have been unable to find out how or why the CD was made, although it appears the Trust has several areas of weakness in its data protection procedures, including a lack of timeliness in recalling patients’ charts that have been released to consultants.

“The fact that this information was several years old is of no consequence – patients’ personal data should always be handled in accordance with the Data Protection Act,” said Mick Gorrill, head of enforcement at the ICO.

“I am pleased that the Trust has agreed to take remedial steps to ensure such an incident does not happen again.”

The Trust has agreed to sign a formal undertaking with the ICO to ensure similar incidents do not occur again. This will involve better staff training in data protection and ensuring patient charts released to consultants are signed for and chased up for return every week.

Security vendors were quick to criticise the Trust. Mark Fullbrook, UK and Ireland director at Cyber-Ark, argued that it is lucky to have escaped without a fine.

“What’s particularly disappointing in this case is that, with so many better-enabled devices and means of storing information, should this highly sensitive information have really been held and transported by CD?" he added.

"The Trust couldn’t even explain how and why an unprotected CD with patient records was produced in the first place."

The NHS has a particularly poor track record when it comes to data losses. In June, the ICO's Gorrill was forced to admit that NHS departments are still making far too many mistakes, after Basingstoke and Stoke-on-Trent trusts were found wanting.

However, the ICO has been reluctant to impose strict fines on public sector organisations, choosing instead to adopt a softer, education-led approach.

This comes in sharp contrast to financial regulator the FSA, which yesterday handed out the largest ever data loss fine in the UK when it stung Zurich Insurance for £2.3m.