An incident in which a Cheshire estate agent found a memory stick she had bought contained confidential clinical records has highlighted the NHS’s failure to implement effective encryption services to protect patient information.

Bolton Royal Hospitals NHS Trust has launched an investigation into how confidential medical records for 13 cancer patients were contained on a laptop memory stick, bought by a local estate agent from a computer equipment supplier.

Information found stored on the device included the names of 13 cancer sufferers from the Greater Manchester area, their dates of birth, addresses, telephone numbers, family medical histories and GP details.

A trust spokesperson told E-Health Insider that it was very concerned about the apparent breach of patient confidentiality. “We are carrying out an immediate and thorough investigation into how it could have happened,” said the spokesperson.

According to a 10 March BBC Online report Dawn Rozzell, 31, purchased the storage device for her laptop from a supplier in Crewe and found it contained confidential records of patients treated at the Royal Bolton Hospital in Greater Manchester. She then contacted the hospital and passed them the memory stick.

In a statement the trust confirmed that the memory stick contained information about 13 cancer patients as at 1999. It said the information contained covered the patients’ hospital number (and in some cases NHS number where known), name, address, date of birth, gender, GP’s name and telephone number, whether or not there was a family history of the condition (i.e. known or unknown, no further detail).

“As soon as we were able to verify the information we began the process of contacting the 13 patients or their next of kin if appropriate,” said the trust spokesperson. “We have explained the situation to them and offered to keep them informed of the progress of the enquiry.”

The spokesperson added “We are still investigating how the information came to be on the memory stick which Ms Rozzell bought.” However, she told E-Health Insider that the trust did not use memory devices of the kind the records were found on: “The trust does not use memory sticks.”

Asked whether this would suggest the device had been the personal property of a clinician or other member of staff employed by the trust she said “I couldn’t comment in that at the moment,” and stressed that a thorough investigation was continuing.

The spokesperson added that the trust’s data protection manager was involved in the investigation and that she was unaware of any previous breach of patient record confidentiality occurring at the trust.

A spokesperson for Greater Manchester Strategic Health Authority said that the incident was a trust matter and appeared to be an “isolated incident”.

“Its outrageous really that patient data should wind up in the second-hand computer market. It’s not just about encryption but also basic work practices as well,” Dr Paul Cundy, GP and BMA IT spokesperson, told E-Health Insider.

Dr Cundy, who was one of the leaders at the Merton, Sutton and Wandsworth ERDIP site, said that PKI and encryption are not rocket science. “One of the points about our ERDIP site is that you can do PKI, we are now doing it for over 150 practices and 100,000s of messages a year for Out of Hours data.”

He added that the introduction of encryption services NHS-wide seemed to be suffering from planning blight. “I don’t why it is taking so long.” On a more positive note he pointed out that NHSMail is shortly due to go live, which will encrypt messages in transit.

NHS Encryption Position Appears Garbled

The need to encrypt all patient sensitive information that is held or transmitted electronically has been a key concern of the BMA in relation to NHS IT for almost a decade. However, development and implementation of effective encryption and confidentiality strategy for the NHS has been repeatedly delayed and does not look likely to be resolved in the immediate future.

The 2001 update to Information for Health, Building the Information Core – implementing the NHS Plan, promised “the procurement and implementation of a full Public-Key Infrastructure that will be available for use across the NHS by April 2002”. This target passed unmet, and encryption remains rare within the NHS outside specific projects such as pathology messaging and some of the ERDIP sites.

Despite these continuing delays it remains official NHS policy that no patient identifiable information should be transmitted electronically without being encrypted; though many within the NHS privately acknowledge that this is a rule honored more in the breach than observance. Adherence to this formula in the absence of widespread encryption and confidentiality services and tools severely curtails the clinical value and utility of key NHS IT infrastructure investments such as NHSnet.

The latest official position obtained by E-Health Insider this week makes for cryptic reading itself. Essentially, though targets have been missed the basic same objectives remain: “The aspirations already set out in the published strategy for NHS use of cryptographic support services and its subsequent update remain current.”

However the DoH statement goes on to make clear that the whole of the cryptographic strategy has been dropped back into the melting pot as part of the development of the National Programme:

“The IPU, The NHS IA and The NHS Design Authority are now jointly reassessing NHS requirements for cryptographic services in-line with perceived National Programme needs and priorities. As a consequence, it is expected that new targets may be established and that future deployments of relevant cryptographic technologies, including encryption, will be aligned accordingly. It is anticipated that there will be a further update on these matters once these requirements have been agreed.”