Four computer disks, containing more than seven years’ worth of payroll information for nearly 18,000 NHS staff in London, have been lost in the post.
The disks disappeared in July after the Whittington Hospital NHS Trust’s payroll department sent them to McKesson, which provides it with payroll IT services.
The disks were sent via the postal system. A question and answer list provided by the trust says its standard practice is to send “any such information” by courier.
An envelope containing the disks was put into a post tray marked “recorded delivery” on 22 July. The Q&A says there is no record of the disks being sent, so they are “missing, presumed lost”. An investigation is under way into why the loss was not reported up the organisation until the start of September.
The disks were being sent to McKesson for its archives. They contained the name, date of birth, national insurance number, start date, pay details and sickness record of 17,990 staff who worked at the Whittington, Camden Primary Care Trust, Islington Primary Care Trust, and Camden and Islington NHS Foundation Trust since April 2001.
The Whittington’s payroll department administers the wages and salaries of all these organisations. More than 5,000 staff addresses for the current financial year were also on the disks. The trust is adamant however, that no bank details were on them.
The trust also says that the disks were all protected by alpha-numeric passwords and that “unless found by expert hackers, [these] are very difficult to break."
David Sloman, the trust’s chief executive, has apologised to the staff involved. Dedicated email contact points have been set up to deal with their queries. Meanwhile, the police have been informed and a member of staff has been suspended.
The Q&A says the trust audited its data transfer systems in January, in line with the Department of Health’s instructions following HMRC’s loss of two unsecured disks holding the details of 25 million child benefit claimants in the post at the end of last year.
It says the trust’s data transfer systems have been re-audited in the past week and it is satisfied that “this was a one-off breach of its procedures. Whittington is commissioning an independent review of its information governance systems “to give us further reassurance that they are robust.”
The London trust is not the only NHS organisation to have been forced to admit a data breach this week. A memory stick containing confidential patient information from Tees, Esk and Wear Valleys NHS Foundation Trust was found by a member of the public in Barnard Castle in County Durham.
Managers at the mental health and learning disabilities trust have confirmed that the electronic storage device was lost by a computer technician, who had been upgrading PCs in Teesdale and Weardale and had failed to delete the data from the memory stick.
The trust has launched a full investigation into the incident and is in the process of contacting the 200 service users whose personal information was on the device.
It says early investigations have also confirmed that a number of staff have stored confidential data on their hard drives – contravening trust policies on information security.
Chief executive Martin Barkley said: “Safeguarding patients’ confidential information is of the utmost importance to the trust and we have clear policies and procedures in place to support this.
“There has been a serious breach of these policies and of patient confidentiality. We are very sorry this has happened but grateful that it has been brought to our attention.”
The trust has written to all staff to remind them of their responsibility to safeguard patient information and to follow trust procedure.
He said: “We now need to complete the investigation so that we can learn from this isolated incident and put measures in place to prevent it from happening again.”