NHS Hospital Could Face ICO Fine For Data Breach

An NHS worker in the secure mental health unit of a Scottish hospital has been suspended, after losing a USB stick containing patients’ medical records.

According to local newspaper reports, the USB stick contained unencrypted sensitive information – including the criminal histories of some violent patients at the Tryst Park unit at Bellsdyke psychiatric hospital. It was found by a 12-year-old boy in the car park of an Asda supermarket in nearby Stenhousemuir.

Hospital may suffer for data breach

NHS Forth Valley medical director Dr Iain Wallace confirmed that the member of staff has been suspended while an investigation is carried out, but refused to give any further details.

“We are currently assessing the data on the memory stick which has been returned to us,” Wallace told the Aberdeen Press and Journal. “We are in the process of contacting patients and their relatives to offer reassurance and to let them know we are doing everything possible to discover how this incident has occurred.”

Earlier this year, British companies were warned to tighten up their security systems, after the Information Commissioner’s Office (ICO) was given the power to issue large fines for any serious data breaches. Companies that fall foul of the data breach laws now risk a maximum fine of £500,000.

Since the incident involves a data loss involving medical records, Bellsdyke hospital could be the first organisation to fall victim to the ICO’s new fines. According to data security specialist Credant Technologies, the case may be referred to the regional office of the ICO in Edinburgh for investigation and likely further action.

“The case is the latest in what has become a long history of NHS data losses that David Smith, the ICO’s deputy commissioner, directly referred to in his keynote speech at the Infosecurity Europe show last week,” said Credant product manager Sean Glynn. “Whilst it’s good to hear the Information Commissioner calling for an urgent review of NHS data security, nothing much has changed – we’re still seeing entirely unnecessary data breaches like this.”

Electronic medical records need encryption

According to Glynn, the ongoing migration of medical records to electronic format has exacerbated the problem, with the health service suffering 140 security breaches during the first four months of last year. Glynn emphasised the need for the highest level of encryption when conveying sensitive data, and calls for the instatement of an NHS technology czar to oversee the process.

“The technology required to protect data on laptops and removable media is available in the market today, is not particularly difficult to deploy, and can immediately mitigate these risks,” he said. “It’s now time for the ICO to act and push for the appointment of an NHS technology czar to oversee data security issues at all levels – and take action against those health bodies that fail to protect their patients’ data.”

Last month, more than 1000 NHS desktop computer systems were infected with the data stealing worm Qakbot. While the worm failed to harvest any patient information, security vendor Symantec warned that it was capable of compromising computers in corporate environments as well as government departments.

Also in April, Symantec’s Global Internet Security Report found that the physical theft or loss of a device containing corporate information was the largest single reason for data breaches. However, the report also found that a growing number of breaches were caused by hacking.