Stockport Primary Care Trust flash drive goes missing
Technorati Tag: Security Breach
Date Reported:
1/18/08
Organization:
Stockport Primary Care Trust NHS
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
4,000
Types of Data:
"NHS number, Specific Stockport PCT identification number, First and second name, Date of Birth, Sex, Condition (if condition was chronic obstructive pulmonary disease, asthma, heart failure, coronary heart disease, diabetes or epilepsy), GP code and practice code and GP Name"
Breach Description:
A staff member working for the Stockport Primary Care Trust lost a flash drive sometime between parking her car and arriving at her desk in December, 2007. The flash drive was on a lanyard around her neck when it was lost and it contained senstive personal information belonging to patients of the trust.
Reference URL:
Stockport Primary Care Trust NHS Press Release dated 1/18/08
Manchester Evening News Story
ComputerWeekly News Story
Report Credit:
Amanda Crook, Manchester Evening News
brought to the attention of The Breach Blog by an informed reader.
Response:
From the online sources cited above:
In early December 2007 a member of staff of Stockport PCT lost a USB drive containing limited information on approximately 4000 patients. This happened between parking the car and arriving at her desk. The drive was on a clip on a lanyard around the neck and somehow came free and was lost.
Health bosses decided not to tell patients about the loss because they believe the data could not be used in an identity fraud.
[Evan] Whether or not the information could be directly used for identity fraud should be irrelevant to the decision to notify patients. This is personal information that belongs to the patients, not Stockport PCT.
The USB drive (memory stick) included a file which contained the following details:
NHS number, Specific Stockport PCT identification number, First and second name, Date of Birth, Sex, Condition (if condition was chronic obstructive pulmonary disease, asthma, heart failure, coronary heart disease, diabetes or epilepsy), GP code and practice code and GP Name
Immediate steps were taken to search for the drive by retracing the path of the staff member but the drive has not been found.
The loss was an accident rather than any systematic failing in management and governance.
[Evan] I strongly disagree with this statement made by Stockport PCT. This IS a failure of information security management and governance! The storage of sensitive information on portable media without additional controls such as encryption must be prohibited. This is accomplished through policy, training and awareness, standards and procedures, and technical controls. The fact that this statement is made by Stockport PCT demonstrates a fundamental mis-understanding on information security roles and responsibilities.
Indeed the security of the information had been considered and the data was being carried personally to avoid being sent by e-mail.
[Evan] So the sensitivity of the information was taken into account, and still not secured adequately. There are FREE programs and utilities available to encrypt files, folders and entire drives. It would have added an additional 15 minutes to download the program, install it, and use it. I'm guessing that the aftermath has taken considerably longer in terms of time spent in response. Some flash drives even come with encryption built-in!
The PCT has taken further steps to emphasise to staff the importance of vigilance in carrying/sending personalised data.
The loss of the data has had no adverse impact on the services provided by Stockport PCT and GPs. The data loss was reported centrally at the time of the loss and again on the recent NHS wide audit of data losses.
‘I want to apologise personally for any inconvenience and distress this may have caused patients. Clearly the recent events concerning loss of personal data have raised the awareness and importance of this matter. I want to assure patients that I believe there is no possibility of any “identity theft” as a result of this loss, and let you know that steps have been taken to ensure this never happens again.’, Richard Popplewell, Chief Executive
[Evan] I do give credit to Mr. Popplewell for issuing a statement. I have said this before, but I will say it again. When a Chief Executive speaks on information security matters, it shows that they recognize that the information security "buck" stops with them.
An information line has been set up to deal with patient enquiries and concerns. The number is 0. You can contact the information line between 10am and 2m on Saturday 19th January and 9am and 5pm between 21st and 25th of January. After this date please call 0 (this will be an answerphone and somebody will call you back).
Commentary:
Does the UK have an equivalent to the U.S. HIPAA? I am not well-versed in UK data security laws, so I don't know.
Using flash drives without additional controls to carry confidential information is very risky business.
Past Breaches:
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay
Date Reported:1/18/08
Organization:
Stockport Primary Care Trust NHS
Contractor/Consultant/Branch:
None
Victims:
Patients
Number Affected:
4,000
Types of Data:
"NHS number, Specific Stockport PCT identification number, First and second name, Date of Birth, Sex, Condition (if condition was chronic obstructive pulmonary disease, asthma, heart failure, coronary heart disease, diabetes or epilepsy), GP code and practice code and GP Name"
Breach Description:
A staff member working for the Stockport Primary Care Trust lost a flash drive sometime between parking her car and arriving at her desk in December, 2007. The flash drive was on a lanyard around her neck when it was lost and it contained senstive personal information belonging to patients of the trust.
Reference URL:
Stockport Primary Care Trust NHS Press Release dated 1/18/08
Manchester Evening News Story
ComputerWeekly News Story
Report Credit:
Amanda Crook, Manchester Evening News
brought to the attention of The Breach Blog by an informed reader.
Response:
From the online sources cited above:
In early December 2007 a member of staff of Stockport PCT lost a USB drive containing limited information on approximately 4000 patients. This happened between parking the car and arriving at her desk. The drive was on a clip on a lanyard around the neck and somehow came free and was lost.
Health bosses decided not to tell patients about the loss because they believe the data could not be used in an identity fraud.
[Evan] Whether or not the information could be directly used for identity fraud should be irrelevant to the decision to notify patients. This is personal information that belongs to the patients, not Stockport PCT.
The USB drive (memory stick) included a file which contained the following details:
NHS number, Specific Stockport PCT identification number, First and second name, Date of Birth, Sex, Condition (if condition was chronic obstructive pulmonary disease, asthma, heart failure, coronary heart disease, diabetes or epilepsy), GP code and practice code and GP Name
Immediate steps were taken to search for the drive by retracing the path of the staff member but the drive has not been found.
The loss was an accident rather than any systematic failing in management and governance.
[Evan] I strongly disagree with this statement made by Stockport PCT. This IS a failure of information security management and governance! The storage of sensitive information on portable media without additional controls such as encryption must be prohibited. This is accomplished through policy, training and awareness, standards and procedures, and technical controls. The fact that this statement is made by Stockport PCT demonstrates a fundamental mis-understanding on information security roles and responsibilities.
Indeed the security of the information had been considered and the data was being carried personally to avoid being sent by e-mail.
[Evan] So the sensitivity of the information was taken into account, and still not secured adequately. There are FREE programs and utilities available to encrypt files, folders and entire drives. It would have added an additional 15 minutes to download the program, install it, and use it. I'm guessing that the aftermath has taken considerably longer in terms of time spent in response. Some flash drives even come with encryption built-in!
The PCT has taken further steps to emphasise to staff the importance of vigilance in carrying/sending personalised data.
The loss of the data has had no adverse impact on the services provided by Stockport PCT and GPs. The data loss was reported centrally at the time of the loss and again on the recent NHS wide audit of data losses.
‘I want to apologise personally for any inconvenience and distress this may have caused patients. Clearly the recent events concerning loss of personal data have raised the awareness and importance of this matter. I want to assure patients that I believe there is no possibility of any “identity theft” as a result of this loss, and let you know that steps have been taken to ensure this never happens again.’, Richard Popplewell, Chief Executive
[Evan] I do give credit to Mr. Popplewell for issuing a statement. I have said this before, but I will say it again. When a Chief Executive speaks on information security matters, it shows that they recognize that the information security "buck" stops with them.
An information line has been set up to deal with patient enquiries and concerns. The number is 0. You can contact the information line between 10am and 2m on Saturday 19th January and 9am and 5pm between 21st and 25th of January. After this date please call 0 (this will be an answerphone and somebody will call you back).
Commentary:
Does the UK have an equivalent to the U.S. HIPAA? I am not well-versed in UK data security laws, so I don't know.
Using flash drives without additional controls to carry confidential information is very risky business.
Past Breaches:
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay
Posted by Evan Francen at 1/21/2008 9:26 AM 
Categories: NHS Trust, Stockport Primary Care Trust, Lost Device
Categories: NHS Trust, Stockport Primary Care Trust, Lost Device
Posts Atom 1.0
Comments