NHS laptop loss could put millions of records at risk

NHS laptop loss could put millions of records at risk

Summary: Police and the ICO are investigating the loss of laptops by a subsidiary of an NHS London health authority, one of which is thought to hold millions of patient records

SHARE:
TOPICS: Security
3

A laptop containing unnamed patient information has gone missing from a subsidiary of the NHS North Central London health authority, putting the privacy of patients at risk.

NHS ribbon

A laptop containing unnamed patient information has gone missing from a subsidiary of the NHS North Central London health authority. Photo credit: comedy_nose/Flickr

The Sun reported on Wednesday that the laptop, which was lost along with 19 others three weeks ago, contained the unencrypted health details of over 8.63 million people and records of 18 million hospital visits, operations and procedures. It was taken from a storeroom of London Health Programmes, a medical research organisation based within the NHS North Central London health authority.

Both the UK's privacy watchdog, the Information Commissioner's Office (ICO), and the police are investigating.

"Any allegation that sensitive personal information has been compromised is concerning, and we will now make enquiries to establish the full facts of this alleged data breach," the ICO said in a statement on Wednesday.

According to The Sun, the patient data did not cover names, but did contain postcodes and details of gender, age and ethnic origin.

NHS North Central London confirmed the loss of the laptops. However, it declined to confirm how many patient records were affected, what those records contained or whether any data was compromised, saying it was still looking into the matter.

"One of the machines was used for analysing health needs requiring access to elements of unnamed patient data," the health authority said in a statement. "All the laptops were password protected, and our policy is to manually delete the data from laptops after the records have been processed."

The London health authority does not know if the data on the device had been wiped. "The laptop is missing, so that can't be determined," a spokeswoman told ZDNet UK.

 [The NHS] holds millions of [bits of] data on millions of people. They're probably the body that hold the most sensitive data in the UK.

– ICO

If the data has been breached, the implications could be serious, according to the ICO. "[The NHS] holds millions of [bits of] data on millions of people. They're probably the body that hold the most sensitive data in the UK, they have millions and millions of records being accessed every day," a spokeswoman for the ICO told ZDNet UK.

In 2010/2011, the NHS reported 165 security breaches to the ICO, the privacy watchdog said.

Christine Connelly, the government's chief information officer for health, told ZDNet UK in April that the NHS had reduced the amount of data it had exposed, after being named by ICO as the organisation with the highest number of breaches in 2009/2010. "Higher levels of encryption mean we get to the point where what gets lost is the physical asset," she said at the time.

However, NHS North Central London could not confirm that the patient record data on the missing laptop was encrypted.


Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Jack Clark

About Jack Clark

Currently a reporter for ZDNet UK, I previously worked as a technology researcher and reporter for a London-based news agency.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • There is *NO EXCUSE** for this today. This a disgrace.

    People responsible and/or with management oversight need

    - A good sacking, after appropriate due process if found wilfully negligent or guilty of gross misconduct,
    - Prosecuted under the Data Protection Act - Significant fines or jail time, if found culpable.

    As with Anti Virus, there are many freeware disk encryption products out there for corporates too skinflint and weasel infested to pay for some commercial stuff. Wield Google and look for Truecrypt, for starters.
    neil.postlethwaite
  • Its easy to fix this. Imprison the chief executive for a couple of years - hey presto, no more unencrypted laptops. But the information commissioner appears to be toothless, especially with large government type organisations
    kaymo@...
  • What people tend to forget about is physical laptop security. Yes encryption is important - in the scenario that the laptop falls into the wrong hands. However using a laptop lock surely has to be the NHS' first line of defence. http://bit.ly/lleed0 This blog has coverage about all the main NHS laptop thefts that resulted in data loss, along with some good ideas about how they can improve their security against future disasters like this!
    anonymous