The Information Commissioner’s Office has taken enforcement action against another four NHS organisations, taking the number rapped for data breaches to 14 in six months.
Cambridge University Hospital NHS Foundation Trust, NHS Central Lancashire, North West London Hospitals NHS Trust, and Hull and East Yorkshire Hospitals NHS Trust have become the latest organisations to sign legally binding agreements to abide by the Data Protection Act.
Laptop, desktop and USB-stick thefts and losses put patient confidentiality at risk at the four organisations. But the ICO’s office was particularly critical of NHS Central Lancashire, which reported the loss of a memory stick holding the medical treatment details of 6,360 prison patients.
The memory stick was encrypted; but the ICO’s office noted that: “the details could be easily accessed from a post-it attached to the device, listing the password necessary to read the information.”
Assistant information commissioner Mick Gorrill said: “It is a matter of significant concern to us that in the past six months it has been necessary to take regulatory action against 14 NHS organisations for data breaches.
“In these latest cases, staff members have access patient records without authorisation and failed to adhere to policies to transmit information in transit. There is little point in encrypting a portable media device and then attaching a password to it.”
NHS Central Lancashire chief executive Joe Rafferty told the Lancashire Evening Post that his organisation had undertaken an “immediate and urgent review of policies” relating to USB sticks following the incident.
He said this had led to a recall of data sticks and staff being formally reminded about their responsibilities to handle personal data properly.
Cambridge University Hospital NHS Foundation Trust also reported the loss of a memory stick holding the details of 741 patients. A member of staff downloaded the information onto an unencrypted stick without the trust’s knowledge – and then left it in a vehicle from where it was recovered by a car-wash attendant.
North West London Hospitals NHS Trust reported the theft of two laptops and a desktop computer containing test results and hospital numbers for 361 patients. None of the computers were encrypted.
Hull and East Yorkshire Hospitals NHS Trust similarly reported the loss and the theft of a desktop computer and a laptop holding patient information that was not encrypted.
All four organisations have signed agreements with the ICO that could lead to legal action if they are not kept.