NHS laptop with patient records stolen

gallery

Another laptop has been stolen from an NHS hospital - this latest disappeared device contained the records of over five thousand patients.

The laptop was stolen 8 January from the outpatient department at Russells Hall Hopsital, which is part of the Dudley Group of Hospitals NHS Trust. The laptop had been brought to the hospital as part of an anticoagulation clinic and held "limited clinical records" of 5,123 such patients, the trust said.

The trust added that the database was protected by password, and that a separate login and password was needed just to operate the laptop. "Accessing patient information will therefore be difficult," trust spokesperson Paul Farenden said in a statement.

"Clearly this is a serious issue. We take precautions to try to protect all the IT equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitably practical difficulties around security," Farenden said. "Our security team work very hard to ensure the safety of our staff, patients and visitors, but it is very difficult to mitigate against all deliberate acts of theft."

All affected patients have been sent a letter informing them of the theft and explaining that the data is not easy accessible, the trust said. "We have no evidence that the patient information on the stolen laptop has been accessed," Farenden said.

As part of a £135,000 investment into data security, the trust last year bought data encryption software, which is now being rolled out onto all laptops - though not in time to protect the recently stolen device. The trust said it will also encrypt all PDAs and memory sticks.

Security analysts have previously agreed that encryption is key to protecting data, especially when organisations seem unable to stop losing them.

Last week, IT PRO reported two laptops were stolen from a hospital in London. The week before, the NHS admitted losing thousands of smartcards - just the latest in a string of UK data breaches.

Nick Cater, the general manager of Iron Mountain Digital, said encryption was not enough: "Robust, corporate strategies to back up and audit data are all very well. But all it takes is one laptop or PDA to be mislaid for confidential records to be put at risk."

"Recent high-profile breaches prove that no organisation is immune from data loss. And while encryption can soften the blow, it is far from failsafe. On top of encryption, companies need to look into how data can be automatically wiped from stolen or lost devices in order to keep it safe," he added. "Ultimately, human error is unavoidable. But data loss is one issue where technology can triumph."

Organisations had better find a way to triumph, especially if the Information Commissioner has his way. Last year, Richard Thomas said he hoped to make lost laptops and other data breaches a criminal charge.

Email to a friend

Print this page