in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

UK Disk Encryption Software: Surrey and Sussex Healthcare NHS Trust Loses USB Stick, 800 Affected

The Surrey and Sussex Healthcare NHS Trust, which runs East Surrey Hospital, had a data breach in the past year.  One might ask, so, what's new?  Well, it turns out that 800 affected patients were not notified of the breach.  The information was not protected with USB drive encryption software like AlertBoot, either.

Comes to Light via Annual Report

The source for all articles covering this story point to crawleyobserver.co.uk.  In turn, crawleyobserver.co.uk notes that the breach was reported in the annual 2010/11 report from the Surrey and Sussex Healthcare NHS Trust.  I imagine that The Crawley Observer must have independently confirmed to see if affected patients were notified of the breach or not.

(I'd be surprised if the lack of notification was noted in the report itself.  As of 03 October 2011, the report is awaiting publication.  The report should be listed here.  There is a PDF which lists the incident under "information governance" here on page 14.  There report does not reveal whether notifications were sent.)

According to story and supporting materials, East Surrey Hospital lost an unencrypted USB memory stick that held information on 800 patients.  It included names, dates of birth, and operation details.  The device was lost in September 2010.

ICO was Notified

While the 800 affected individuals were not notified of the breach, the Information Commissioner's Office certainly was:

The Information Commissioner’s Office (ICO) said the loss had been reported to the watchdog in late 2010.

"After investigating the breach the ICO warned the organisation that their policy covering the storage and use of personal data must be followed by staff and the trust must make sure that their staff are aware of their policy for the storage and use of personal data and are appropriately trained on how to follow it," the ICO said. [itpro.co.uk]

Still, this does not reveal whether the ICO was aware of the NHS not contacting patients.  This is actually quite an important question that could be precedent-setting.

It's the ICO that makes the decision whether affected citizens need to be notified or not.  If the ICO determines that notification is unnecessary, the breached organization can still alert the affected (at least, one presumes so).  However, if the ICO deems it necessary to send notifications but the breached organization does not do so -- well, this would be a first, as far I know.

So, what was the ICO's position regarding notifications?  If the NHS contravened the ICO's instructions, it seems to me that the ICO should set a precedent.  In fact, it seems to me that the penalty ought to be even more severe than those handed out for not using proper encryption software on laptops.

Observation on Industry Criticism

Unsurprisingly, the news has become a lightning rod for criticism:

Grant Taylor, UK vice president at Cryptzone, said: "Had this been a private company, rather than an NHS Trust, the organisation would have been publicly censured and a large fine levied under the Data Protection Act.

"The fact that this is a government agency that has experienced a total of ten data loss incidents, and one where the data was not recovered, is a highly questionable.(sic) [scmagazineuk.com]

I don't agree with Mr. Taylor's assessment.  The only government body that has the ability to censure companies for data breaches is the Information Commissioner's Office.  The commissioner's office acquired the ability to fine up to £150,000 in April 2010 and so far the ICO has fined four public bodies and one private one (A4e) (the link is missing the most recent massive fine which was assessed on Surry County Council in June 2011) out of over 2,000 breaches.  Furthermore, the private organization was fined the least amount of all five organizations despite affecting the most people.

If history is any indication, it appears that being a private company would result in less severe sanctions.


Related Articles and Sites:
http://www.phiprivacy.net/?p=7909
http://www.itpro.co.uk/636475/nhs-trust-loses-800-patients-data
http://www.scmagazineuk.com/victims-in-the-dark-after-hospital-loses-unencrypted-usb-stick/article/213362/

 
<Previous Next>

iPad Theft Leads To Data Breach For Eventbrite

Data Encryption Software: Could It's Use Trigger A Breach Of UK DPA?

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.