The Surrey and Sussex Healthcare NHS Trust, which runs East Surrey Hospital, had a data breach in the past year. One might ask, so, what's new? Well, it turns out that 800 affected patients were not notified of the breach. The information was not protected with USB drive encryption software like AlertBoot, either.
The source for all articles covering this story point to crawleyobserver.co.uk. In turn, crawleyobserver.co.uk notes that the breach was reported in the annual 2010/11 report from the Surrey and Sussex Healthcare NHS Trust. I imagine that The Crawley Observer must have independently confirmed to see if affected patients were notified of the breach or not. (I'd be surprised if the lack of notification was noted in the report itself. As of 03 October 2011, the report is awaiting publication. The report should be listed here. There is a PDF which lists the incident under "information governance" here on page 14. There report does not reveal whether notifications were sent.) According to story and supporting materials, East Surrey Hospital lost an unencrypted USB memory stick that held information on 800 patients. It included names, dates of birth, and operation details. The device was lost in September 2010.
The source for all articles covering this story point to crawleyobserver.co.uk. In turn, crawleyobserver.co.uk notes that the breach was reported in the annual 2010/11 report from the Surrey and Sussex Healthcare NHS Trust. I imagine that The Crawley Observer must have independently confirmed to see if affected patients were notified of the breach or not.
(I'd be surprised if the lack of notification was noted in the report itself. As of 03 October 2011, the report is awaiting publication. The report should be listed here. There is a PDF which lists the incident under "information governance" here on page 14. There report does not reveal whether notifications were sent.)
According to story and supporting materials, East Surrey Hospital lost an unencrypted USB memory stick that held information on 800 patients. It included names, dates of birth, and operation details. The device was lost in September 2010.
While the 800 affected individuals were not notified of the breach, the Information Commissioner's Office certainly was: The Information Commissioner’s Office (ICO) said the loss had been reported to the watchdog in late 2010. "After investigating the breach the ICO warned the organisation that their policy covering the storage and use of personal data must be followed by staff and the trust must make sure that their staff are aware of their policy for the storage and use of personal data and are appropriately trained on how to follow it," the ICO said. [itpro.co.uk] Still, this does not reveal whether the ICO was aware of the NHS not contacting patients. This is actually quite an important question that could be precedent-setting. It's the ICO that makes the decision whether affected citizens need to be notified or not. If the ICO determines that notification is unnecessary, the breached organization can still alert the affected (at least, one presumes so). However, if the ICO deems it necessary to send notifications but the breached organization does not do so -- well, this would be a first, as far I know. So, what was the ICO's position regarding notifications? If the NHS contravened the ICO's instructions, it seems to me that the ICO should set a precedent. In fact, it seems to me that the penalty ought to be even more severe than those handed out for not using proper encryption software on laptops.
While the 800 affected individuals were not notified of the breach, the Information Commissioner's Office certainly was:
The Information Commissioner’s Office (ICO) said the loss had been reported to the watchdog in late 2010. "After investigating the breach the ICO warned the organisation that their policy covering the storage and use of personal data must be followed by staff and the trust must make sure that their staff are aware of their policy for the storage and use of personal data and are appropriately trained on how to follow it," the ICO said. [itpro.co.uk]
The Information Commissioner’s Office (ICO) said the loss had been reported to the watchdog in late 2010.
"After investigating the breach the ICO warned the organisation that their policy covering the storage and use of personal data must be followed by staff and the trust must make sure that their staff are aware of their policy for the storage and use of personal data and are appropriately trained on how to follow it," the ICO said. [itpro.co.uk]
Still, this does not reveal whether the ICO was aware of the NHS not contacting patients. This is actually quite an important question that could be precedent-setting.
It's the ICO that makes the decision whether affected citizens need to be notified or not. If the ICO determines that notification is unnecessary, the breached organization can still alert the affected (at least, one presumes so). However, if the ICO deems it necessary to send notifications but the breached organization does not do so -- well, this would be a first, as far I know.
So, what was the ICO's position regarding notifications? If the NHS contravened the ICO's instructions, it seems to me that the ICO should set a precedent. In fact, it seems to me that the penalty ought to be even more severe than those handed out for not using proper encryption software on laptops.
Unsurprisingly, the news has become a lightning rod for criticism: Grant Taylor, UK vice president at Cryptzone, said: "Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act. "The fact that this is a government agency that has experienced a total of ten data loss incidents, and one where the data was not recovered, is a highly questionable.(sic) [scmagazineuk.com] I don't agree with Mr. Taylor's assessment. The only government body that has the ability to censure companies for data breaches is the Information Commissioner's Office. The commissioner's office acquired the ability to fine up to £150,000 in April 2010 and so far the ICO has fined four public bodies and one private one (A4e) (the link is missing the most recent massive fine which was assessed on Surry County Council in June 2011) out of over 2,000 breaches. Furthermore, the private organization was fined the least amount of all five organizations despite affecting the most people. If history is any indication, it appears that being a private company would result in less severe sanctions.
Unsurprisingly, the news has become a lightning rod for criticism:
Grant Taylor, UK vice president at Cryptzone, said: "Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act. "The fact that this is a government agency that has experienced a total of ten data loss incidents, and one where the data was not recovered, is a highly questionable.(sic) [scmagazineuk.com]
Grant Taylor, UK vice president at Cryptzone, said: "Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act.
"The fact that this is a government agency that has experienced a total of ten data loss incidents, and one where the data was not recovered, is a highly questionable.(sic) [scmagazineuk.com]
I don't agree with Mr. Taylor's assessment. The only government body that has the ability to censure companies for data breaches is the Information Commissioner's Office. The commissioner's office acquired the ability to fine up to £150,000 in April 2010 and so far the ICO has fined four public bodies and one private one (A4e) (the link is missing the most recent massive fine which was assessed on Surry County Council in June 2011) out of over 2,000 breaches. Furthermore, the private organization was fined the least amount of all five organizations despite affecting the most people.
If history is any indication, it appears that being a private company would result in less severe sanctions.
Related Articles and Sites:http://www.phiprivacy.net/?p=7909http://www.itpro.co.uk/636475/nhs-trust-loses-800-patients-datahttp://www.scmagazineuk.com/victims-in-the-dark-after-hospital-loses-unencrypted-usb-stick/article/213362/