An unreported loss of patient data by NHS Northamptonshire has taken a strange twist in my opinion. The loss of patient data by the National Health Services is nothing new, of course. I've often covered the loss of laptops, portable disks, USB memory drives, and other data storage devices from numerous hospitals in the UK. In most cases, the judicious use of hard drive encryption would have been a great boon towards patient security. This latest case, though, is not a clear-cut case of a patient data breach. Plus, I'm not sure how it could have been prevented.
An unreported loss of patient data by NHS Northamptonshire has taken a strange twist in my opinion. The loss of patient data by the National Health Services is nothing new, of course. I've often covered the loss of laptops, portable disks, USB memory drives, and other data storage devices from numerous hospitals in the UK. In most cases, the judicious use of hard drive encryption would have been a great boon towards patient security.
This latest case, though, is not a clear-cut case of a patient data breach. Plus, I'm not sure how it could have been prevented.
From the story, it sounds like a nurse was visiting patient homes on a motorcycle. Since she was making rounds, she required patient names and addresses, which were recorded in a diary (I'm guessing that's the Queen's English for "daily planner" or something similar. I mean, patient addresses wouldn't make it into my diary, if I had one; it's just be weird). While she was visiting a patient, the motorcycle was stolen, and thusly the diary as well. Based on the classification of this particular "data breach," between 20 and 100 patients could have been affected. Later, the motorcycle was recovered along with the diary. The happening was never revealed to the potentially affected patients. The important question is, what kind of information did this nurse have? Apparently it was just the names and the addresses. That's it.
From the story, it sounds like a nurse was visiting patient homes on a motorcycle. Since she was making rounds, she required patient names and addresses, which were recorded in a diary (I'm guessing that's the Queen's English for "daily planner" or something similar. I mean, patient addresses wouldn't make it into my diary, if I had one; it's just be weird).
While she was visiting a patient, the motorcycle was stolen, and thusly the diary as well. Based on the classification of this particular "data breach," between 20 and 100 patients could have been affected. Later, the motorcycle was recovered along with the diary. The happening was never revealed to the potentially affected patients.
The important question is, what kind of information did this nurse have? Apparently it was just the names and the addresses. That's it.
I've pointed out in the past that a list of names and addresses is enough to do some serious damage. What's important is not that it's a list of names and addresses--one can get those from the phonebook. (And, if it were from the phonebook, it wouldn't matter so much.) What's important is that, usually, a list of names and addresses are grouped together for a reason. Assuming this diary was issued by the hospital, and imprinted with the hospital's name, whoever picked it up could have bought the trust of the patient by claiming he (or she) was a representative of NHS Northamptonshire. The criminally-inclined could have asked for the UK-equivalent of a Social Security number or a Medical Insurance number to tidy up "missing information" on the patients' records, for example. This would be harder to pull off by just randomly picking names from a phonebook. So, the loss of "just" names and addresses...well, it's not as innocuous as it sounds.
I've pointed out in the past that a list of names and addresses is enough to do some serious damage. What's important is not that it's a list of names and addresses--one can get those from the phonebook. (And, if it were from the phonebook, it wouldn't matter so much.)
What's important is that, usually, a list of names and addresses are grouped together for a reason. Assuming this diary was issued by the hospital, and imprinted with the hospital's name, whoever picked it up could have bought the trust of the patient by claiming he (or she) was a representative of NHS Northamptonshire. The criminally-inclined could have asked for the UK-equivalent of a Social Security number or a Medical Insurance number to tidy up "missing information" on the patients' records, for example. This would be harder to pull off by just randomly picking names from a phonebook.
So, the loss of "just" names and addresses...well, it's not as innocuous as it sounds.
On the other hand, this is one of those data breaches that couldn't have been prevented. I mean, I guess the nurse could have taken her diary with her and have it in her possession at all times. But, that increases the chances of her misplacing it somewhere: at the visiting patient's home, a burger joint, a public restroom, etc. Keeping it locked in her motorcycle may have been a better choice. Plus, if the story is to be believed, medical information was not included, which means the nurse carried the bare minimum when it comes to patient information (which is slightly shocking to me. How's she supposed to memorize the affliction of over 20 patients? I mean, was the just going around and checking they were still alive or what? One would assume some patient information relating to their condition would have been in that diary.) And, since we're talking about paper-based information, the use of data protection measures like the use of encryption would have been impractical. I mean, even the use of the most basic encryption techniques would require minutes to unscramble an address. It's somewhat of a tall order to ask a nurse to play a complex game of Jumble before visiting each patient. (Plus, she's on a motorcycle. How's she going to manage it if it's raining? The UK's pretty famous for its inclement weather, right?) The only way to protect this information would have been not to carry it--but that conflicts with the nurse's job of visiting patients. Obviously not the correct approach to data protection.
But, that increases the chances of her misplacing it somewhere: at the visiting patient's home, a burger joint, a public restroom, etc. Keeping it locked in her motorcycle may have been a better choice.
Plus, if the story is to be believed, medical information was not included, which means the nurse carried the bare minimum when it comes to patient information (which is slightly shocking to me. How's she supposed to memorize the affliction of over 20 patients? I mean, was the just going around and checking they were still alive or what? One would assume some patient information relating to their condition would have been in that diary.)
And, since we're talking about paper-based information, the use of data protection measures like the use of encryption would have been impractical. I mean, even the use of the most basic encryption techniques would require minutes to unscramble an address. It's somewhat of a tall order to ask a nurse to play a complex game of Jumble before visiting each patient. (Plus, she's on a motorcycle. How's she going to manage it if it's raining? The UK's pretty famous for its inclement weather, right?)
The only way to protect this information would have been not to carry it--but that conflicts with the nurse's job of visiting patients. Obviously not the correct approach to data protection.
The NHS has been criticized for keeping its silence regarding the breach. I, for one, disagree. There was no breach here. I mean, it's possible that the thief stole the motorcycle; got into the helmet compartment and took the diary out; made photocopies of each page; and then returned the diary to its original place, so that it appears that the diary was not accessed. But is it probable? The need to protect documents that contain sensitive information is real. And a certain degree of zeal is required to ensure that data protection is in place and working. However, let's not lose our heads here: there was minimal information (I'm hoping a result of foreseeing such a loss), the data was analog, and the data was recovered. It really sounds like a non-event. No need to scare patients over something so trivial. Now, if the diary hadn't been recovered, or more information was included, or some other factor had been included, I would be the first to recommend that patients be notified.
The NHS has been criticized for keeping its silence regarding the breach. I, for one, disagree. There was no breach here. I mean, it's possible that the thief stole the motorcycle; got into the helmet compartment and took the diary out; made photocopies of each page; and then returned the diary to its original place, so that it appears that the diary was not accessed.
But is it probable?
The need to protect documents that contain sensitive information is real. And a certain degree of zeal is required to ensure that data protection is in place and working. However, let's not lose our heads here: there was minimal information (I'm hoping a result of foreseeing such a loss), the data was analog, and the data was recovered.
It really sounds like a non-event. No need to scare patients over something so trivial. Now, if the diary hadn't been recovered, or more information was included, or some other factor had been included, I would be the first to recommend that patients be notified.
Related Articles and Sites:http://www.northamptonchron.co.uk/news/Patient-records-stolen--but.5359631.jp