The Royal Wolverhampton Hospitals NHS Trust in the UK has agreed to sign an Undertaking after it was found of a data breach by the Information Commissioner's Office. The breach was caused by an itinerant CD that wasn't secured with neither data encryption software or password-protection.
The CD was found at a bus stop near the hospital. It contained scans of patient records from the Intensive Care Unit of New Cross Hospital’s Heart and Lung Unit. A total of 112 patient records were breached. Investigators were unable to determine how the CD ended up at the bus stop, or why the patient information was burned to the CD to begin with. According to scmagazineuk.com, "it was established that there were areas of weakness in the Trust's data protection procedures." Well, that goes without saying...
The CD was found at a bus stop near the hospital. It contained scans of patient records from the Intensive Care Unit of New Cross Hospital’s Heart and Lung Unit. A total of 112 patient records were breached.
Investigators were unable to determine how the CD ended up at the bus stop, or why the patient information was burned to the CD to begin with. According to scmagazineuk.com, "it was established that there were areas of weakness in the Trust's data protection procedures."
Well, that goes without saying...
In light of the breach and the weaknesses that were established during the investigation, the Trust has decided to effect some changes. Among them: "ensuring that patient charts released to consultants are signed for on receipt and chased for return after just one week." It was only last week that I had mentioned Walsh Pharma's data security breach, where a DVD being returned by a third-party was lost in the mail. In light of this and other similar cases involving disks and the mail, I have some problems with the NHS Trust's new found vigor in upholding their data security practices. Of course, if CD encryption is used, it wouldn't be much of a problem if there was some kind of snafu involving the mail. However, if encryption software like AlertBoot is not used--which it should be, by the way--then the information in the CD is ripe for a breach. Better off to have the consultant destroy the CD than mail it back to the NHS unsecured. The consultant will have to provide proof of destruction, of course. Hm. Perhaps the CD should be mailed back already destroyed.
In light of the breach and the weaknesses that were established during the investigation, the Trust has decided to effect some changes. Among them: "ensuring that patient charts released to consultants are signed for on receipt and chased for return after just one week."
It was only last week that I had mentioned Walsh Pharma's data security breach, where a DVD being returned by a third-party was lost in the mail. In light of this and other similar cases involving disks and the mail, I have some problems with the NHS Trust's new found vigor in upholding their data security practices.
Of course, if CD encryption is used, it wouldn't be much of a problem if there was some kind of snafu involving the mail. However, if encryption software like AlertBoot is not used--which it should be, by the way--then the information in the CD is ripe for a breach.
Better off to have the consultant destroy the CD than mail it back to the NHS unsecured. The consultant will have to provide proof of destruction, of course. Hm. Perhaps the CD should be mailed back already destroyed.
Related Articles and Sites:http://www.scmagazineuk.com/another-nhs-trust-found-to-be-in-breach-of-the-data-protection-act-following-the-loss-of-over-100-patient-records/article/177390/http://www.itpro.co.uk/626353/nhs-trust-leaves-medical-data-at-bus-stop