NHS Laptop, Mobile Theft Rises Dramatically

Rise in theft of tech from the NHS has prompted warning about cyber risk to patient data

The National Health Service (NHS) has recorded a dramatic rise in the theft of technology, that could potentially be putting patient data at risk.

So says think tank Parliament Street, which published a new report entitled ‘NHS Data Security: Device Loss’, which examines the numbers of the lost or stolen devices reported within NHS hospitals.

The report looked specifically at tablets, mobile phones and laptops, but this is not the only tech that disappears from NHS hospitals.

NHS thefts

Using Freedom of Information (FoI) requests, the report found that the NHS had reported almost 1,300 electronic devices missing over the last three calendar years.

This includes losses reported by both staff and patients on-site at NHS hospitals.

The think tank researchers found that a total of 1,283 devices have been reported missing by 58 NHS hospitals since 2016.

Breaking down the figures, it seems that in 2016, the overall figure of lost devices was 383. This rose slightly in 2017 to 389.

But in 2018 things got worse when the number of lost devices rose to 511. This marks a 33 percent rise in thefts across the three year period.

It is perhaps no surprise that smartphones were the most popular missing devices over the three year period. 2016 saw 284 smartphones disappear, in 2017 it was 309, and then 366 in 2018. This represents an overall increase of 29 percent.

But laptops seems to be the fastest rising device that is being stolen. For example 55 laptops were reported missing in 2016, rising to 81 in 2018 – an increase of 47 percent.

The level of lost or stolen devices tends to vary between hospitals. For example, the NHS Trust with the most recorded devices lost or stolen over the last three years was Eastbourne District General Hospital, which has lost a total of 110 devices since 2016.

The second and third highest number of missing devices were Bradford Teaching Hospital and Salisbury NHS Foundation Trust, which saw 96 and 81 reports of lost or stolen devices respectively.

Some hospitals (James Paget University Hospital and Liverpool Heart and Chest Hospital) that responded to the Parliament Street FoI’s claimed to have had no devices lost or stolen in the last three full years.

And it wasn’t just laptops, smartphones and tablets being stolen. Kings College Hospital for example confirmed that in 2016 they had reports of two breast pumps being stolen and a microwave.

And in 2016 a cheeky patient at University Hospital Southampton managed to steal a ward TV by vomiting on the floor to distract a registered mental health nurse.

The patient then apparently requested privacy and put the TV in his bag. The nurse then helped him carry his bags to the taxi rank, he reported that they felt quite heavy but didn’t think anything of it at the time.

Patient data

Whilst some may find that amusing, the theft of devices that can store data is a worry, considering it could involve patient data.

“Rising thefts of critical mobiles and laptops could pose serious cybersecurity risks to NHS hospitals,” Andy Heather, VP of security firm Centrify said. “Increasingly we’re seeing hackers and fraudsters targeting accredited devices and using legitimate log-in details to gain access to confidential data and private records without raising suspicion.”

“Tackling this problem means adopting a zero-trust approach to all user-accounts, ensuring every employee who tries to access critical information is screened with the necessary password, location and authentication procedures to ensure they are who they say they are,” said Heather.

In 2017 a hacker claiming to be part of the Anonymous hacking group said they had stolen data on 1.2 million patients from SwiftQueue, a private contractor that provides booking services to NHS trusts.

In 2011 a laptop holding the records of eight million patients went missing from an NHS store room. That laptop was one of 20 that disappeared from offices of the North Central London Strategic Health Authority.

And then in 2013 NHS Surrey was slapped with a £200,000 fine by the ICO, after 3,000 patient records, including 2000 related to children, were found on a second-hand machine sold on eBay.

The Information Commissioner’s Office (ICO) said it was one of the most serious data breaches it had ever seen, as a contractor for NHS Surrey failed to completely wipe and destroy 1570 hard drives containing the highly sensitive data.

Do you know all about security? Try our quiz!