Oldham Primary Care Trust NHS loses two data sticks
Technorati Tag: Security Breach
Date Reported:
1/11/08
Organization:
Oldham Primary Care Trust NHS (PCT)
Contractor/Consultant/Branch:
None
Victims:
PCT "clients"
Number Affected:
148
Types of Data:
"The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth."*
*I'm not sure if this means that copies of assessments AND names, addresses and dates of birth OR just names, addresses and dates of birth.
Breach Description:
The Oldham Primary Care Trust NHS has issued a press release announcing the loss of two "data sticks" containing personal information belonging to clients that had contact with the organization's continuing care service. A total of 148 clients were affected by the breach.
Reference URL:
The Oldham Primary Care Trust NHS Press Release
Manchester Evening News Story
Report Credit:
Oldham Primary Care Trust NHS
Response:
From the online sources cited above:
A breach of information security has taken place. Two data sticks containing information relating to 148 clients who have been in contact with the PCT’s continuing care service have been reported missing.
This should never have happened.
[Evan] Got that right.
All the individuals affected have been identified. Our first priority has been to try to contact all 148 individuals, or their representatives, personally. We have made personal contact with 145, and offered to visit them. We are waiting for three to get back to us after several attempts to contact them.
We have followed up the contacts in writing with our sincere apologies, and have set up a
dedicated freephone information line for those who may have further questions.
The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth. It did not contain financial information.
[Evan] It's a little unclear to me what this means exactly.
There is no risk at all to anyone’s future care.
A formal internal investigation has been launched.
The PCT takes patient confidentiality extremely seriously and has taken immediate action to prevent any further similar incidents. All data sticks containing ‘personal’ information have been recalled, and a full and thorough review of current processes and procedures is now underway.
Gail Richards, Oldham PCT chief executive, said: “We are deeply sorry – this should never have happened. We have launched a full and thorough investigation, and are reviewing our current policies relating to data storage.
[Evan] It's always a good sign when a "chief executive" comments on security. I have said this before, but it shows that they understand their information security role and that the buck stops with them.
“While we believe the data sticks have been lost, we have reported the incident to the police in order to get the best advice possible. We have no reason at all to believe the information has been accessed by anyone else.”
To make sure this cannot happen again, the PCT:
Anyone with concerns should contact the PCT’s information line on freephone 0. The line is open from 8.30am8pm MonFri and 10am4pm SatSun.
Commentary:
Overall, this has to be one of the best responses I have seen in some time from an organization that experienced a breach of personal information. The response is open, thorough and honest. After reading the press release, I am clear about what happened and what Oldham Primary Care Trust ("PCT") plans to do about it. Too many times, organizations attempt to keep a breach under wraps. PCT prominently displays the information on their web site home page.
The breach happens. The organization comes to terms with the fact that a breach occurred. The organization reaches out to everyone affected with an honest explanation and sincere apology. The organization issues a press release to announce what took place and what it intends to do about it. The organization saves face and keeps a certain amount of trust in the process. I am impressed with how PCT has responded to this breach.
Past Breaches:
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay
Date Reported:1/11/08
Organization:
Oldham Primary Care Trust NHS (PCT)
Contractor/Consultant/Branch:
None
Victims:
PCT "clients"
Number Affected:
148
Types of Data:
"The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth."*
*I'm not sure if this means that copies of assessments AND names, addresses and dates of birth OR just names, addresses and dates of birth.
Breach Description:
The Oldham Primary Care Trust NHS has issued a press release announcing the loss of two "data sticks" containing personal information belonging to clients that had contact with the organization's continuing care service. A total of 148 clients were affected by the breach.
Reference URL:
The Oldham Primary Care Trust NHS Press Release
Manchester Evening News Story
Report Credit:
Oldham Primary Care Trust NHS
Response:
From the online sources cited above:
A breach of information security has taken place. Two data sticks containing information relating to 148 clients who have been in contact with the PCT’s continuing care service have been reported missing.
This should never have happened.
[Evan] Got that right.
All the individuals affected have been identified. Our first priority has been to try to contact all 148 individuals, or their representatives, personally. We have made personal contact with 145, and offered to visit them. We are waiting for three to get back to us after several attempts to contact them.
We have followed up the contacts in writing with our sincere apologies, and have set up a
dedicated freephone information line for those who may have further questions.
The information lost related to copies of assessments about future healthcare needs held in a secure central file. It included people’s names, addresses and dates of birth. It did not contain financial information.
[Evan] It's a little unclear to me what this means exactly.
There is no risk at all to anyone’s future care.
A formal internal investigation has been launched.
The PCT takes patient confidentiality extremely seriously and has taken immediate action to prevent any further similar incidents. All data sticks containing ‘personal’ information have been recalled, and a full and thorough review of current processes and procedures is now underway.
Gail Richards, Oldham PCT chief executive, said: “We are deeply sorry – this should never have happened. We have launched a full and thorough investigation, and are reviewing our current policies relating to data storage.
[Evan] It's always a good sign when a "chief executive" comments on security. I have said this before, but it shows that they understand their information security role and that the buck stops with them.
“While we believe the data sticks have been lost, we have reported the incident to the police in order to get the best advice possible. We have no reason at all to believe the information has been accessed by anyone else.”
To make sure this cannot happen again, the PCT:
- Is undertaking a full audit of how removable media is used across the PCT
- Has recalled all data sticks and pen drives which contain ‘personal’ data
- Nearly completed recalling all data sticks and pen drives in order to reissue encrypted devices to staff alongside a new procedure for their use
- Has reminded all staff formally of existing policies and procedures
- Is urgently developing updated guidance for staff around information security
Anyone with concerns should contact the PCT’s information line on freephone 0. The line is open from 8.30am8pm MonFri and 10am4pm SatSun.
Commentary:
Overall, this has to be one of the best responses I have seen in some time from an organization that experienced a breach of personal information. The response is open, thorough and honest. After reading the press release, I am clear about what happened and what Oldham Primary Care Trust ("PCT") plans to do about it. Too many times, organizations attempt to keep a breach under wraps. PCT prominently displays the information on their web site home page.
The breach happens. The organization comes to terms with the fact that a breach occurred. The organization reaches out to everyone affected with an honest explanation and sincere apology. The organization issues a press release to announce what took place and what it intends to do about it. The organization saves face and keeps a certain amount of trust in the process. I am impressed with how PCT has responded to this breach.
Past Breaches:
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay
Posted by Evan Francen at 1/11/2008 4:58 PM 
Categories: NHS Trust, Oldham Primary Care Trust, Lost Device
Categories: NHS Trust, Oldham Primary Care Trust, Lost Device
Posts Atom 1.0
Although it is always a worry when such information is mislaid or even lost, we must be mindful that the content of the information is little more than is available at a low cost purchase via any local authority by anyone without any form of scrutiny checks.
Oldham PCT in our view should be praised for the action they’ve taken; they have ensured that the focus of their enquiry is to ensure the patients are informed as a priority and that they are offering personal visits and a Freephone information line to deal with any concerns. People need to be aware that 145 of the 148 names stored have been contacted with every effort being made to contact the final three.
As a patient organisation we commend Oldham PCT and the NHS North West for the swift action taken in dealing with this matter; let’s remember the data sticks in question are missing and could in fact still be recovered. We must also bear in mind that the value of the data sticks to a thief is minimal as such personal information is, as I have already said, available to anyone via any local authority”.
Reply to this
The entire situation was dealt with elegantly and efficiently. http://www.drugrehab.net/credentials.php
Reply to this