NHS Researchers Lose Laptop With 8m Patient Records

Researchers for London Health Programmes have lost unencrypted records of 8.63 million NHS patients

A laptop holding the records of eight million patients has gone missing from an NHS store room, reports Mike Sullivan in The Sun newspaper.

According to the report, the laptop was one of 20 that disappeared from offices of the North Central London Strategic Health Authority. The room was being used by London Health Programmes, a medical research organisation. The Programmehas confirmed the loss of the laptop and the data it contained.

Missing For Three Weeks

The computers went missing three weeks ago but the theft has only just been reported to the police, Sullivan claimed. The unencrypted records held details of 8.63 million patients and 18 million hospital visits, procedures and operations.

London Health Programmes evolved from the work of the Healthcare for London programme and NHS Commissioning Support for London (CSL) and develops proposals to improve health and healthcare services for Londoners. The organisation is currently reviewing care procedures for a variety of health issues, including cancer, tuberculosis, mental health and burns.

eWEEK Europe contacted the authority but was told: “I don’t know anything about this – and there is no one in the office who can help you.” Statements from the programme, however, indicate the laptop was used for statistical analysis, and was somehow missed from the organisation’s policy of wiping data. Although password-protected, it was not encrypted.

Reportedly, the police said they were “dismayed” by the loss and the incident has been passed to the Information Commisioner’s Office (ICO) for further investigation.

“Regardless of whether this laptop has been stolen, lost, dumped or is simply sitting in a cupboard somewhere, the key point is that the data on it wasn’t encrypted.” said Chris McIntosh, CEO of ViaSat UK (formerly Stonewood).

“London Health Programmes can’t claim it was ignorant of the dangers of unencrypted machines and the risks of a loss. There has been a huge focus on IT security recently as incidents, such as the Sony hacking, put ordinary consumers at risk,” he said.

The stolen personal details only recorded gender, age, ethnic origin and postcode but not the patient’s name. Even so, a little research could easily reveal the identity  of the individuals.

“It is to be hoped that the ICO acts swiftly and decisively to pass a strong message in this case and that, more importantly, the data on the laptop itself doesn’t end up in the wrong hands,” McIntosh commented. “If it does, innocent members of the public could find extremely sensitive, personal information that should have been strictly confidential being used against them.”

Of the other 19 laptops, eight have been recovered, but where and how has not been revealed, and the search continues for the rest.

An ICO statement said: “Any allegation that sensitive personal information has been compromised is concerning and we will now make enquiries to establish the full facts of this alleged data breach.”