ICO raps hospital for breach

A hospital trust in Salford has been the latest to be told off be the Information Commissioner’s Office (ICO) over a data breach.

Salford Royal NHS Foundation Trust was found to have breached the Data Protection Act after a laptop with medical data about 3,500 patients was stolen from an office.

While the laptop did have a basic Windows password in place, the data was unencrypted – and the hospital failed to make the breach public.

“Initially, the incident was treated only as a theft of equipment, resulting in a delay of over one month in reporting and investigating the loss of personal data,” the ICO noted in its enforcement notice.

The ICO has made the trust sign a “formal undertaking,” which requires it to encrypt personal data and take better care protecting access to such equipment.

“The Salford Royal NHS Foundation Trust recognises the seriousness of this data loss and has agreed to take immediate remedial action,” Mick Gorrill, assistant Information Commissioner, said in a statement. “It has also agreed to conduct future audits to ensure compliance with the Act.”

Gorrill added that he was worried about data care across the NHS - a concern the ICO has recently complained to the Department of Health about. “I am increasingly concerned about the way some NHS organisations are failing to securely hold people’s health and personal information. Organisations must implement appropriate safeguards to ensure personal details about patients do not fall into the wrong hands.

The trust had not responded to our request for comment at the time of publication.

Click here to read the top 10 lessons organisations should learn about data breaches.

Email to a friend

Print this page