A Scottish health board has declared a data amnesty after a community health worker lost a USB stick containing personal information on 137 patients.
NHS Lothian has told its staff that anyone who has inappropriately stored sensitive information can come forward and have it safely disposed of without being subject to disciplinary procedures.
The amnesty is part of a data safety campaign that the health board plans to run for its 28,000 employees following the loss of the USB stick at the end of June.
The memory stick contained letters sent to Edinburgh GPs about patients and was reported lost on June 26. Since then the health board has contacted the patients involved and offered them face-to-face meetings and also set up a helpline to offer support and advice.
Peter Gabbitas, NHS Lothian’s director of health and social care said: “A member of staff has reported losing a memory stick of their own which they were using to store information about patients. It’s important to remember that the staff member came to us of their own volition to advise us of this contravention of our policy. The staff member has been active in helping us minimise the impact on these patients. Any threat to patient confidentiality is very serious and management took action as soon as they were informed.”
Gabbitas said the Information Commissioner was also informed about the loss of the memory stick and the police informed although there was no evidence that the data stick had been stolen or any information disclosed.
The board said the information was stored in breach of regulations that prohibit the storing of NHS information on personal portable computing devices and that the member of staff was subject to NHS Lothian’s employee conduct policy.
The health board is now launching its data safety campaign including the data amnesty. The campaign will also include roadshows in hospitals and other NHS Lothian sites, credit-card sized fold-out leaflets to accompany all pay slips, posters in NHS Lothian buildings and screen messages when staff log on to computers.
Martin Egan, director of e-health, said: “Following the reported loss of a memory stick containing patient information we decided to launch a special campaign to drive home the message that data security is everybody’s business. The rules on the issue are clear and simple but people have to follow them if we are to keep information safe.”
The board said its IT security team was also investigating extra safeguards to make it more difficult to download data to unauthorised devices.