Home & Office

Health trust loses 6,000 prisoners' data on USB stick

An encrypted data stick, with the password attached to the drive on a Post-it note, has been lost at HMP Preston
Written by Tom Espiner, Contributor

A USB drive containing details of over 6,000 prisoners has been lost by Central Lancashire Primary Care Trust.

While the data on the USB stick was encrypted, the password to access the data was attached to the drive on a Post-it note, a Central Lancashire Primary Care Trust (PCT) spokesperson told ZDNet UK on Monday.

The drive went missing at HMP Preston on 30 December, and contained the details of up to 6,360 prisoners. The stick went missing as it was being taken from one area of the prison to another — from the medical clinic to the administration department — to be backed up. The clinic used a legacy, standalone computer to work with information on prisoners, and this was backed up using the data stick.

"We don't believe [transferring data on a USB drive within the prison confines] had been recognised as a security risk — it hadn't been highlighted as a potential issue," said the spokesperson.

The Central Lancashire PCT was already in the process of developing a way to securely transfer medical data from the prison's healthcare system to an NHS server via a network connection, the spokesperson added. Three prisons served by the Central Lancashire PCT are currently being connected to NHS servers.

The prisoner details lost at Preston included surnames, age range, prison number, cell location, prison-clinic appointment times and review dates, said a PCT statement. In some cases, there was reference to clinics attended, medical condition and treatment offered. Conditions specified included asthma, diabetes and mental health, as well as "a very small number of sexual-health references", according to a statement from the PCT on Friday.

Central Lancashire PCT apologised for the loss of the USB drive. "We are deeply sorry — this never should have happened," NHS Central Lancashire chief executive Joe Rafferty said in the statement. "We have launched a full and thorough investigation, and we are taking all necessary steps to ensure it cannot happen again."

Rafferty said that the lost data relates to patients who have accessed HMP Preston's health clinic since the year 2000. Lancashire PCT will contact people affected, and a helpline has been set up for anyone concerned about the loss, details of which appear on the statement.

NHS North West, the Department of Health, the Home Office, the Information Commissioner and the Healthcare Commission have all been informed of the loss of the data stick.

The staff involved have been suspended pending the conclusion of an investigation, said the Central Lancashire PCT spokesperson, who declined to say how many staff had been suspended.

In addition, all of the PCT's USB drives, which are encrypted, have been recalled. They will be re-issued on a named basis. "People that have a data stick will have to understand how to use it, and use it within policy," the spokesperson said.

Editorial standards