Health trust loses 6,000 prisoners' data on USB stick

Health trust loses 6,000 prisoners' data on USB stick

Summary: An encrypted data stick, with the password attached to the drive on a Post-it note, has been lost at HMP Preston

TOPICS: Networking

A USB drive containing details of over 6,000 prisoners has been lost by Central Lancashire Primary Care Trust.

While the data on the USB stick was encrypted, the password to access the data was attached to the drive on a Post-it note, a Central Lancashire Primary Care Trust (PCT) spokesperson told ZDNet UK on Monday.

The drive went missing at HMP Preston on 30 December, and contained the details of up to 6,360 prisoners. The stick went missing as it was being taken from one area of the prison to another — from the medical clinic to the administration department — to be backed up. The clinic used a legacy, standalone computer to work with information on prisoners, and this was backed up using the data stick.

"We don't believe [transferring data on a USB drive within the prison confines] had been recognised as a security risk — it hadn't been highlighted as a potential issue," said the spokesperson.

The Central Lancashire PCT was already in the process of developing a way to securely transfer medical data from the prison's healthcare system to an NHS server via a network connection, the spokesperson added. Three prisons served by the Central Lancashire PCT are currently being connected to NHS servers.

The prisoner details lost at Preston included surnames, age range, prison number, cell location, prison-clinic appointment times and review dates, said a PCT statement. In some cases, there was reference to clinics attended, medical condition and treatment offered. Conditions specified included asthma, diabetes and mental health, as well as "a very small number of sexual-health references", according to a statement from the PCT on Friday.

Central Lancashire PCT apologised for the loss of the USB drive. "We are deeply sorry — this never should have happened," NHS Central Lancashire chief executive Joe Rafferty said in the statement. "We have launched a full and thorough investigation, and we are taking all necessary steps to ensure it cannot happen again."

Rafferty said that the lost data relates to patients who have accessed HMP Preston's health clinic since the year 2000. Lancashire PCT will contact people affected, and a helpline has been set up for anyone concerned about the loss, details of which appear on the statement.

NHS North West, the Department of Health, the Home Office, the Information Commissioner and the Healthcare Commission have all been informed of the loss of the data stick.

The staff involved have been suspended pending the conclusion of an investigation, said the Central Lancashire PCT spokesperson, who declined to say how many staff had been suspended.

In addition, all of the PCT's USB drives, which are encrypted, have been recalled. They will be re-issued on a named basis. "People that have a data stick will have to understand how to use it, and use it within policy," the spokesperson said.

Topic: Networking

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Does it even need to be said

    This is undoubtedly a bunch of health professionals under ridiculously tough working conditions, working every day with potentially dangerous patients with in many cases little or nothing to lose. They weren't properly briefed by their management on the security issues, apparently. However, at the end of the day, the data got loose and could easily cause severe problems.

    There are always going to be corner cases like this.

    How many more times does this sort of thing need to happen before the government realise that they NEED to listen to the non-self-appointed-experts on this subject. Just because they are the ones in charge, doesn't automatically qualify them as experts in the field. Just because the advice that comes from the actual experts is so frightfully inconvenient, doesn't mean they can ignore it along with all the other inconvenient facts they routinely toss out with the rubbish.

    This seems to me to be another case of "Policy is Truth". The bureaucratic disease that allows arbitrary policy to be ennobled with the mantle of absolute truth. Once done, this truth then pushes out all inconvenient facts that stand against it. The "Truth" in this case is that the government needs to hold chapter and verse on each and every one of us in a huge set of databases and that nothing else is more important than that; freedom, liberty, privacy and all other outmoded concepts be damned.
    Andrew Meredith