Technorati Tag: Security Breach

Date Reported:
2/13/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
The Dudley Group of Hospitals 
Outpatient Department at Russells Hall Hospital

Victims:
anticoagulation patients*

*people who suffer from blood-thinning problems

Number Affected:
5,123

Types of Data:
"medical records"

Breach Description:
A laptop was stolen from the Outpatient Department of Russells Hall Hospital in Dudley, West Midlands, on January 8.  The laptop contained sensitive medical records and personal information belonging to people who suffer from blood-thinning problems.

Reference URL:
The Dudley Group of Hospitals statement to the press
The story on The Independent online 

Report Credit:
The Dudley Group of Hospitals

Response:
From the online sources cited above:

A laptop computer was stolen whilst an anticoagulation clinic was being held in the Outpatient Department at Russells Hall Hospital on 8 January 2008.

The laptop held a database that had limited clinical records of 5,123 anticoagulation patients on it.

The database is password/login protected and a separate Trust login and password is required to operate the laptop. Accessing patient information will therefore be difficult.
[Evan] I would not say that accessing the information would be difficult.

Clearly this is a serious issue.
[Evan] Clearly!

We take precautions to try to protect all the I.T. equipment in our hospitals from theft, but given that this is a public building with thousands of people accessing it every day, there are inevitably practical difficulties around security.
[Evan] This is one of the reasons why information security has a concept called "defense in depth".  Higher physical security risk environments require mitigating controls such as encryption, alarms, increased surveillance, physical cable locks, etc.

Our security team work very hard to ensure the safety of our staff, patients and visitors, but it is very difficult to mitigate against all deliberate acts of theft.

To help alleviate any concerns and answer any questions that might arise, staff in the clinic have been talking to the patients about the theft and giving them an explanatory letter which gives them information about the database and explains that the data is not easily accessible.

Letters have also been sent to patients’ home addresses so as to ensure that every patient affected has been notified as soon as possible.

We have no evidence that the patient information on the stolen laptop has been accessed.

The Trust takes its responsibility for data protection and security very seriously and in 2007 commissioned the roll out of new data encryption software.
[Evan] Amen!

The deployment has now begun and the data encryption software is being loaded onto all Trust owned laptops.
[Evan] The word I keyed in on immediately was "all".

We are also taking steps to implement a series of other actions:

The data encryption software will also be loaded onto all mobile devices which includes Trust PDA’s and memory sticks.
[Evan] Excellent, and again the word "all".

In-line with Department of Health guidelines, we are conducting an in-depth review of the transfer of patient data.

The Trust has instructed an independent consultant to conduct a penetration audit of the Trust’s network, which will look in detail at the security infrastructure in place to ensure that systems cannot be hacked into.

All old PCs, laptops and PDA’s are wiped using a degausser before they are disposed of.
[Evan] Another excellent idea.  Remember the University of Glamorgan study?  The Dudley Group of Hospital is stepping it up, and patients will benefit.

We would like to apologise for any concern this matter has caused those patients affected, and would like to reassure them that the information on the database is unlikely to be recoverable.

The recent £135,000 investment in additional data security together with these actions provides us with the best assurance that the data we hold relating to our patients is safe at all times.

Commentary:
After reporting numerous information security breaches involving the NHS Trust, it is refreshing to read that they are making changes for the better.  I think I have written enough about them, and would prefer not to write anymore.

Past Breaches:
NHS:
February, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay