Employees at South London Healthcare NHS Trust have breached the Data Protection Act four times in the past year, on one occasion leaving sensitive patient data in a grocery store, according to the Information Commissioner’s Office.

The trust informed the ICO of the loss of two unencrypted memory sticks, of ward lists left in a grocery store, and a failure to adequately secure some patient paper files when they were not in use. Each incident involved the loss of sensitive patient data.

The first USB stick was lost after an employee downloaded data onto a personal, unencrypted device in order to do some work at home.

The employee, who had not received the latest information governance training, misplaced the device, resulting in the loss of data relating to around 600 maternity patients.

The second incident involved a memory stick that contained the names and dates of birth of 30 children and full audiology reports for a further three children.

An undertaking to improve data security in the future, signed by the trust, says: “both devices were later found and it is unlikely that they were readily accessible during the time they could not be located.”

The ICO also found that a junior doctor was in breach of trust policy by taking ward lists containing the name, date of birth, diagnosis, treatment plan and test results for 122 patients out of the hospital, subsequently leaving them in a grocery store.

In the final incident, South London reported that some genito-urinary clinic outpatient files were not being locked away when not in use. However they were being stored in areas with secure access controls.

The ICO decided against exercising his powers to serve an enforcement notice under section 40 of the DPA after “remedial action” was taken by the trust.

A spokesperson for South London Healthcare told eHealth Insider: "The trust has implemented a range of measures to ensure that the incidents which took place last year do not happen again.

 

“These include ensuring all that all USB sticks issued by the trust are encrypted and that computers at the trust will only accept encrypted USB sticks.

“This means that if a USB stick is inadvertently left unattended, the contents on the stick will not be accessible to members of the public. Also the trust continues to focus on improving information governance training levels for all staff."

Board papers from a public meeting held on 25 January report the incidents as “near misses.”