Laptop stolen in Royal Bolton Hospital break-in
Technorati Tag: Security Breach
Date Reported:
12/11/07
Organization:
Bolton Hospitals NHS Trust
Contractor/Consultant/Branch:
Royal Bolton Hospital
Victims:
Patients who receive or have received oxygen treatments at home
Number Affected:
~350
Types of Data:
Names, addresses, dates of birth, NHS numbers*, GP practices, and some details about the patient's oxygen supply
*It is the common unique identifier that makes it possible to share patient information across the whole of the NHS safely, efficiently and accurately. The NHS Number is now more important than ever. Currently, patient information is stored in a number of places and a variety of ways - including paper, computer and film. By 2010, every registered NHS patient in England will have an electronic healthcare record. - Source www.connectingforhealth.nhs.uk/systemsandservices/nhsnumber/
Breach Description:
Thieves broke into the department for thoracic care and stole a laptop that contained confidential personal information belonging to patients that receive or have received oxygen treatments at home.
Reference URL:
The Bolton New Story
Report Credit:
Paul Keaveny from The Bolton News
Response:
From the online source cited above:
A COMPUTER containing the personal details of hundreds of patients at the Royal Bolton Hospital has been stolen.
Thieves took the laptop when they broke into the department for thoracic care, which handles patients with chest and breathing complaints.
[Evan] I wonder why sensitive personal information was being stored on a laptop in the first place. If it is a business requirement, then at the very least encrypt it.
Thieves broke into the chest unit at the Royal Bolton Hospital between November 9 and November 12.
The computer contains the information of around 350 patients who receive, or have received, oxygen treatment at home. Details include names, addresses, dates of birth, NHS numbers, GP practices and some details about the patients' oxygen supply.
The hospital has sent letters to those affected and apologised
Heather Edwards, head of communications at the hospital, said: "While we believe the risk of anybody using the information contained on the computer is extremely small, we thought that it was right for the patients to know what had happened."
[Evan] Why do organizations continue to think that the risk is "extremely small"? As long as people continue to think the risk is small, then they will do little to prevent it.
"We are very sorry about this and hope it doesn't cause people any undue concern."
[Evan] Do you think that any of these 350 people are concerned? Uh, yes I would think that most of them probably are.
engineers for the company which services the oxygen supplies carried identification cards and that patients should check their ID before letting them in.
information was backed-up and patient health and treatment had not been affected.
Cllr Andy Morgan, chairman of the health scrutiny committee, added: "I will be asking for a full report to be brought to my committee with regards the storage of personal data by both the hospital and the Primary Care Trust, to reassure the public that all is being done to protect their personal information in Bolton."
The theft in November is being investigated by the police
Victim Reaction:
"I can't believe they kept hold of this information for so long. My father is very vulnerable and the thought of a criminal having a computer which contains his personal details, including his address, is very scary. I'm sure the hospital could have acted more quickly."
Commentary:
This breach emphasizes the importance of encrypting all sensitive data at rest. Even if the data and computer don't leave the "secured" building, thieves still break-in and steal. The Bolton Hospitals NHS Trust "has a budget of approximately £140m", maybe they can find some money to properly secure patient information on laptops, or better yet employ controls to limit any kind of confidential data storage on client computers.
Bolton Hospitals NHS Trust boasts about numerous awards on their site, I wonder if one exists for information security. The fact that this is not the first time a computer containing sensitive information was stolen from the Royal Bolton Hospital makes this breach that much more frustrating.
Past Breaches:
October, 2006 - Computers stolen from the Royal Bolton Hospital
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Date Reported:12/11/07
Organization:
Bolton Hospitals NHS Trust
Contractor/Consultant/Branch:
Royal Bolton Hospital
Victims:
Patients who receive or have received oxygen treatments at home
Number Affected:
~350
Types of Data:
Names, addresses, dates of birth, NHS numbers*, GP practices, and some details about the patient's oxygen supply
*It is the common unique identifier that makes it possible to share patient information across the whole of the NHS safely, efficiently and accurately. The NHS Number is now more important than ever. Currently, patient information is stored in a number of places and a variety of ways - including paper, computer and film. By 2010, every registered NHS patient in England will have an electronic healthcare record. - Source www.connectingforhealth.nhs.uk/systemsandservices/nhsnumber/
Breach Description:
Thieves broke into the department for thoracic care and stole a laptop that contained confidential personal information belonging to patients that receive or have received oxygen treatments at home.
Reference URL:
The Bolton New Story
Report Credit:
Paul Keaveny from The Bolton News
Response:
From the online source cited above:
A COMPUTER containing the personal details of hundreds of patients at the Royal Bolton Hospital has been stolen.
Thieves took the laptop when they broke into the department for thoracic care, which handles patients with chest and breathing complaints.
[Evan] I wonder why sensitive personal information was being stored on a laptop in the first place. If it is a business requirement, then at the very least encrypt it.
Thieves broke into the chest unit at the Royal Bolton Hospital between November 9 and November 12.
The computer contains the information of around 350 patients who receive, or have received, oxygen treatment at home. Details include names, addresses, dates of birth, NHS numbers, GP practices and some details about the patients' oxygen supply.
The hospital has sent letters to those affected and apologised
Heather Edwards, head of communications at the hospital, said: "While we believe the risk of anybody using the information contained on the computer is extremely small, we thought that it was right for the patients to know what had happened."
[Evan] Why do organizations continue to think that the risk is "extremely small"? As long as people continue to think the risk is small, then they will do little to prevent it.
"We are very sorry about this and hope it doesn't cause people any undue concern."
[Evan] Do you think that any of these 350 people are concerned? Uh, yes I would think that most of them probably are.
engineers for the company which services the oxygen supplies carried identification cards and that patients should check their ID before letting them in.
information was backed-up and patient health and treatment had not been affected.
Cllr Andy Morgan, chairman of the health scrutiny committee, added: "I will be asking for a full report to be brought to my committee with regards the storage of personal data by both the hospital and the Primary Care Trust, to reassure the public that all is being done to protect their personal information in Bolton."
The theft in November is being investigated by the police
Victim Reaction:
"I can't believe they kept hold of this information for so long. My father is very vulnerable and the thought of a criminal having a computer which contains his personal details, including his address, is very scary. I'm sure the hospital could have acted more quickly."
Commentary:
This breach emphasizes the importance of encrypting all sensitive data at rest. Even if the data and computer don't leave the "secured" building, thieves still break-in and steal. The Bolton Hospitals NHS Trust "has a budget of approximately £140m", maybe they can find some money to properly secure patient information on laptops, or better yet employ controls to limit any kind of confidential data storage on client computers.
Bolton Hospitals NHS Trust boasts about numerous awards on their site, I wonder if one exists for information security. The fact that this is not the first time a computer containing sensitive information was stolen from the Royal Bolton Hospital makes this breach that much more frustrating.
Past Breaches:
October, 2006 - Computers stolen from the Royal Bolton Hospital
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Posted by Evan Francen at 12/19/2007 3:19 PM 
Categories: NHS Trust, Stolen Laptop, Royal Bolton Hospital
Categories: NHS Trust, Stolen Laptop, Royal Bolton Hospital
Posts Atom 1.0
I simply don't get it. The thieves stole the laptop for the information inside it or for the value of the computer? Even if they had the address of the patients, it's not like they are the only one that can harm them. Anyone that passes by and observes a person that's on oxygen support can think to come back and attack the defenseless person.
Reply to this