Ashford and St Peter’s Hospitals NHS Trust has been criticised by the Information Commissioner for losing three unencrypted USB sticks containing sensitive information about cancer patients.
The devices, which were lost over a period of weeks between 28 May and 26 June 2009, contained the full treatment and diagnosis history of numerous cancer patients. The information was recorded in Microsoft Word format, leaving it accessible to anyone with a computer.
The incident was not formally reported to the data controller’s management until after the third incident in late June 2009.
Mick Gorrill, assistant commissioner at the ICO, said: “I urge all NHS organisations to restrict and encrypt the amount of sensitive information stored on portable devices.
"In this case, our investigation found that there was a lack of understanding and awareness among staff of their responsibilities under the Data Protection Act.
“Good data protection practice should be a matter of corporate governance and I am pleased the trust is implementing a number of changes to alert staff to data protection policies and procedures in the future.”
According to an undertaking signed by Andrew Liles, the chief executive of the trust, the USB sticks were used to transfer up-to-date patient data for display at weekly multi-disciplinary clinical team meetings, held to discuss and plan treatment and care for cancer patients.
The undertaking adds that: “The investigation into these incidents revealed a lack of understanding and awareness among staff of the requirements of data protection legislation and of internal policies and procedures.
"It further revealed a lack of provision for staff training, with some staff never having received any formal data protection training.”
The trust has pledged to improve data security and confirmed that all portable devices used to store personal data will be encrypted using the current standard or equivalent.
It has also pledged that staff will receive the appropriate training and are aware of the hospital’s policy for the storage and use of personal data. In a statement, the trust said: "A key action has been to introduce additional update sessions for staff, and this programme will be complete by the end of the year."
Trust chief executive Andrew Liles added: “We are extremely sorry that this incident happened, and have apologised to each of the 76 patients concerned.
"We take incidents of this severity extremely seriously indeed, and each patient was individually contacted as soon as the data loss became clear earlier this year. We also wrote to each patient’s GP.” The trust also set up a free-phone helpline for three weeks, which received 17 calls.
Mr Liles continued: “We would like to reassure patients and members of the public that we have learnt from this incident. We remain vigilant and are doing all we possibly can to ensure this does not happen again.”