Health Department Lost Hundreds Of Laptops

The Department of Health has lost more than 250 laptops over the past ten years, including 140 that may not have been encrypted, according to a new report.

The finding comes on the heels of a warning by the Information Commissioner’s Office (ICO) that the NHS must do more to prevent data breaches. The ICO reprimanded five NHS health bodies earlier this month for breaching the Data Protection Act (DPA).

£200,000 value

The DoH said each of the 250 lost laptops had a value of around £850, amounting to a total of more than £200,000, according to a report by industry journal Computing.

The DoH said all departmental laptops have used encryption since mid-2006, meaning that 140 of the lost laptops may not have been encrypted.

The department also admitted hundreds of mobile phones and BlackBerrys had been lost during a 10-year period.

The DoH lost 10 laptops in the most recent financial year, down from 34 in 2008/9 and 14 in 2007/8.

Security risk

Security fears in the public sector are continuing to grow, particularly around mobile devices, according to industry observers.

A recent survey by Sophos found that most public sector workers – 68 percent – said security risks were increased by the use of personal laptops in the work environment instead of department-owned devices.

Even more, 80 percent, said public servants using personal smartphones posed a security risk, while nearly half said that risk was greater than using a government-owned device, Sophos found. The survey covered 858 respondents.

In its most recent rebuke, the ICO said the health service needed to be particularly careful due to the nature of its work.

“The health service holds some of the most sensitive personal information of any sector in the UK,” said Information Commissioner, Christopher Graham at the time. “Recent incidents such as the loss of laptops at NHS North Central London – which we are currently investigating – suggest that the security of data remains a systemic problem. The policies and procedures may already be in place but the fact is that they are not being followed on the ground.”

NHS Ignorance?

Data breaches within the NHS are a depressingly familiar story. Back in June last year for example, the ICO published a list of the 1,000 data breaches reported since 2007. It found that the NHS was responsible for 305 of the 1,007 reported breaches, almost a third of all recorded data breaches in the UK for the last three years.

And the cycle shows no sign of stopping. Earlier this month, for example, researchers for London Health Programmes revealed that they had lost unencrypted records of 8.63 million NHS patients.

Last October Healthcare Locums Plc breached the Data Protection Act when it lost a hard disc drive (HDD) that contained personal data of the doctors it employed, such as their security clearances and visa information.

In May 2010 a NHS worker in the secure mental health unit of a Scottish hospital was suspended, after losing a USB stick containing patients’ medical records.

In an effort to help the NHS deal with data loss, the ICO produced guidance for health organisations explaining their obligations to keep the personal information they handle secure, as well as giving advice on the security measures that must be in place.

It also carried out a number of audits with health organisations to help them identify ways in which they can improve their handling of personal information.