Department of Health loses over 800 mobiles and laptops in past 13 years

The Department of Health has admitted losing over 300 laptops and 400 mobile phones since 1997, raising further concerns that the organisation is not taking its data protection obligations seriously enough.

Responding to a written question from Conservative MP Chris Skidmore on the number of laptops and mobile phones that had been lost or stolen, health minister Simon Burns provided figures from the past 13 years, but declined to differentiate between lost and stolen devices.

The figures rise and fall each year, seemingly at random. For example, 25 laptops were lost or stolen in 1997/98, while just 11 went missing in 2006/07 and 34 in 2008/09.

Overall, 326 laptops and 446 mobile phones, including BlackBerry smartphones, went missing during the period. 

Chris McIntosh, chief executive at encryption firm ViaSat UK, pointed out that the number of missing devices is not as large as it appears given the size of the Department of Health as an employer, but added that it raises serious concerns about whether data on the devices was protected.

"The sheer number of devices and the nature of their users' work means that if even one is unsecured the consequences for patients could be severe," he said.

"Apparently, the average cost of a Department of Health laptop is £850. One would hope this price includes the necessary encryption and other security considerations to prevent data being accessed from a lost device."

McIntosh also noted that the mobile phone losses could have serious implications, as simply using a BlackBerry is not enough to guarantee encryption.

"Given that mobile devices are still difficult to adequately secure we must hope the lost BlackBerrys contained no sensitive data. If this is the case, and if the laptops were encrypted, then we have a simple case of replacing hardware," he said.

"However, if sensitive data is being put at risk the Department of Health must improve its procedures."

A DoH spokesperson confirmed to V3.co.uk that all devices provided to staff since at least 2007 are protected and that BlackBerry's are set to wipe themselves if someone tries to guess the passcode.

"All departmental laptops are encrypted to protect any information stored on them and Blackberry hand held devices wipe all the data stored on them after a series of failed attempts to enter the correct user ID and password," they said.

They were unable to confirm how far back this practice went, though, suggesting some of the lost devices could well have been unprotected.

The NHS has frequently been reprimanded by the ICO for data breach incidents. The North London Hospital Trust is currently under investigation for losing a laptop containing the details of eight million patients.