Stolen Bolton Hospitals Laptop affects cancer patients

Technorati Tag:

Date Reported:
1/30/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Royal Bolton Hospitals

Victims:
"gynaecology cancer patients from Bolton, Wigan and Salford"

Number Affected:
200

Types of Data:
"names, addresses, information, their diagnosis and treatment and clinical correspondence between medical staff"

Breach Description:
A laptop computer containing sensitive personal information belonging to gynaecology cancer patients from Bolton, Wigan and Salford (UK) was stolen from the office of a radiology consultant in October 2007, but only recently came to light.

Reference URL:
The Bolton News online story

Report Credit:
Jane Lavender, The Bolton News with a special thanks to an informed UK Breach Blog reader

Response:
From the online source cited above:

A COMPUTER containing the personal details of cancer patients has been stolen from the Royal Bolton Hospital.

Thieves struck in October - but hospital bosses only made details of the incident public yesterday.
[Evan] I hope that the "hospital bosses" notified the victims much sooner!

"There is no evidence at all that whoever took the computers took them for the data. These machines were valuable, portable objects. The theft of computer equipment plagues this organisation and many others." - Ann Schenk, director of service development at the hospital
[Evan] These statements are meant to minimize the situation.  I understand what Ann is saying, but I don't agree with its purpose.

The computer containing the cancer patients' details was stolen when thieves broke into the office of a consultant radiologist during the night.

The computer contained the details of 200 gynaecology cancer patients from Bolton, Wigan and Salford.

Information included patients' names, addresses, information, their diagnosis and treatment and clinical correspondence between medical staff.

Hospital bosses contacted all patients to inform them of the theft, but insist all information is data- protected and cannot be accessed by anyone other than the relevant hospital staff.
[Evan] Baloney!  If the information was not encrypted (with good key management), then the data can absolutely be accessed by anyone.

From next month, all information will be stored on a central server - a secure storage network - rather than on individual hard drives. All new laptops will also have controlled encryption software to make sure no-one but hospital staff can access them.
[Evan] Nice.  It only took a few lost/stolen laptops/computers before Bolton Hospitals got it.  Some organizations never get it.  Better late than never.

More than 300 laptops which have been already issued to staff are being recalled over the next three months so the encryption software can be installed.

Encryption software for memory sticks and pen drives will be installed on all equipment by the end of February and managers have been asked to carry out risk assessments on all computers and laptops.

Staff have also been told not to transfer any data until the encryption software has been installed.
[Evan] All good.  Bolton Hospitals is taking the protection of confidential information very seriously.  Kudos to Bolton Hospitals.

Heather Edwards, head of communication at the Royal Bolton Hospital, said: "While we believe the risk of anyone using any of the information is extremely small, we felt patients had the right to know what had happened.

"I'd like to repeat our apologies that such an event happened and reassure people that the hospital is taking this very seriously.

"We fully understand the anxiety the theft of data can cause and we have stepped up security of premises, as well as investing around £200,000 in additional IT security."
[Evan] The amount of money could equate to how serious Bolton Hospitals is about information security.  Let's hope that the money is well spent in the right places.  So far, things sound promising.

Commentary:
Bolton Hospitals and NHS Trust in general have been fodder for much information security discussion over the past few months.  Although it took more potential victims before Bolton Hospital got the hint, at least they got the hint.  I am impressed with Bolton Hospitals' response to THIS breach.  I am hopeful that more organizations will take heed (at least more NHS Trust organizations).

Past Breaches:
NHS:
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay


 
Trackbacks
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment