A CD containing over 170,000 confidential blood donor records form the Irish Blood Transfusion Service (IBTS) has been stolen in New York.
The data – which was encrypted – had been sent to the New York Blood Centre as part of a software upgrading programme, and was stolen in a laptop when a member of staff was mugged in the city two weeks ago.
Data included personal donor demographic details, name, address, date of birth and gender, but no medical notes, an IBTS spokesperson told E-Health Europe.
In a statement, the IBTS said: “The IBTS today [Tuesday 20 February 2008] confirm that a laptop which contained securely encrypted IBTS data was stolen in New York on Thursday 7th February. The IBTS was notified on Friday, 8th February.
“This data was in New York, because we are upgrading the software that we use to analyse our data to provide a better service to donors, patients and the public service. To do this, we have engaged the services of the New York Blood Centre (NYBC), a public service blood bank, under a data protection and transfer agreement.”
Both the IBTS and NYBC said they are deeply concerned at the theft of the laptop computer but stressed the data was as secure as possible.
The statement said: “We are always aware of the potential for data loss and took all measures to ensure that state-of-the-art data encryption was used. The records were on a CD that was encrypted with a 256-bit encryption key.
“These records were transferred to a laptop and re-encrypted with an AES [Advanced Encryption Standard] 256-bit encryption key. This represents one of the highest levels of security available and to our knowledge there is no record of a successful attack against this level of encryption.”
IBTS said the transfer process between IBTS and NYBC followed robust measures laid down by the European Commission for transferring patient data.
The encrypted CD contained log files generated from transactions on IBTS’s computer system, Progesa – which included 171,324 donor records and 3,294 patient blood group records from between July and October 2007.
IBTS said: “The IBTS has notified the Data Protection Commissioner on Monday 11 February. The IBTS and NYBC are deeply concerned at the theft of the laptop computer. The IBTS is very conscious of its obligations under the Data Protection Acts and has always strived to be fully compliant with those obligations.
“We are writing to each donor affected by this incident to reassure them and to advise them of the possibility, however remote, that their personal data might be accessed. We expect these letters to be posted on Friday 22 February. We will also be writing to the hospitals and GPs who in turn will contact the patients concerned. In the meantime, donors can contact us at the IBTS information line 1850 731 137.”
The police have also been notified and an investigation into the robbery is ongoing, but the laptop has not been recovered to date.
Link
Irish Blood Transfusion Service
Joe Fernandez