Setting an example for irresponsibility while violating internal Department of Health policies, the UK National Health Service (NHS) has lost unencrypted data on 31,000 patients. The data was lost when thieves stole several NHS laptops.
Computerworld UK reports:
A laptop containing 11,000 patient records was stolen from a GP's home in Wolverhampton. And St George’s Hospital in London has admitted that six laptops were stolen from its filing cabinets at the start of the month, containing the records of 20,000 patients.
The NHS has a history of losing unencrypted data.
In a rather poor showing of remorse, the NHS explained:
The trust apologised for losing the laptops, and added that it was its policy for laptops not to contain patient data.
“This was done as a temporary measure because of a problem with the computer network. However, the laptops were in a secure area under lock and key,” it said in a statement. “The data was being used to monitor and reduce waiting times at the hospital.”
THE PROJECT FAILURES ANALYSIS
Personal data loss has become an enormous public issue affecting millions of citizens. Until relevant organizational leadership experiences the personal pain of fines and jail sentences, society will continue to face this problem.
- See also: Data loss CEOs should go to jail
I wrote the following when the Bank of New York lost 4.5 million unencrypted customer records:
Strong legislation and strict penalties, including the threat of jail time, is the only way to solve this common problem. If HSBC, the UK’s largest bank, is willing to send out unencrypted data, then this is truly a massive issue. Industry self-policing has not worked and it’s time the government enacted preventive regulation.
Those sentiments remain true today. It's time for the government to mandate encryption of personally-identifiable data held by both public and private entities.