Stolen NHS flash drive contained adolescent information
Technorati Tag: Security Breach
Date Reported:
3/5/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Telford and Wrekin Primary Care Trust (PCT)
Madeley Health Centre
Victims:
Adolescent patients
Number Affected:
238
Types of Data:
Names, dates of birth, addresses, and clinical treatment details
Breach Description:
A laptop was stolen from a speech therapist at the Madeley Health Centre in Shropshire (UK). According to officials the laptop has been secured, but a flash drive containing personal information belonging to child patients of the clinic is missing.
Reference URL:
Computerworld
BBC News
The Shropshire Star
Report Credit:
The Shropshire Star
Response:
From the online sources cited above:
A laptop containing personal details of more than 200 children has been stolen from a Shropshire medical center.
Telford and Wrekin Primary Care Trust (PCT) confirmed a laptop was stolen from the Madeley Health Centre, while one of its language therapists was running a clinic and had left the laptop in an adjacent room.
It has since been disconnected from the NHS network to ensure no access to data, but a memory stick with 238 patients' details is still missing.
[Evan] Information security professionals need to reduce the risk of exposure to the information, NOT the laptop. The information must be secured wherever it resides.
These records include patient names, date of births, and addresses as well as the details of their speech and language therapy treatment.
Simon Conolly, Telford & Wrekin PCT chief executive said in a statement that the laptop had been fitted with encryption software to comply with the high NHS security standards.
[Evan] This is an excellent decision and practice by NHS, but if copying confidential information to flash drives is allowed without restriction then it doesn't do a whole lot of good in the end. Sounds obvious, but the facts speak for themselves.
"The equipment was also fitted with sophisticated tracking equipment and the police were informed immediately."
The PCT said it informed patients of the breach as soon as the theft was reported, and the trust is undergoing a thorough investigation.
[Evan] In my opinion, another good call by officials. Notifying victims sooner rather than later is good practice (as long as it doesn't hinder the investigation).
Conolly said: "All staff are given strict instructions about all aspects of security on patient records, for example not to leave laptops in cars. It is extremely unfortunate that the equipment has been stolen from the NHS clinic while the therapist was working there. A thorough internal investigation is being carried out and if there are lessons to be learnt from this incident, the PCT will be ensure that security measures are reinforced."
[Evan] How about some additional controls around removable media? Or, if possible prohibit their use altogether with respect to confidential information.
Telford police spokeswoman Denise Wakefield said the theft of the Flybook laptop happened on February 27 at 4.50pm.
Anyone with information about the theft is asked to call police on 08457 444888.
Commentary:
I get tourqued when I read about breaches that affect children. If what is being reported is actually the truth, then the risk to the children in minimized by the fact that there isn't a lot of potential for fraud. I wonder if there was more information on the flash drive though.
Information security is a holistic discipline. We strive to take into account all risks to unauthorized information disclosure, modification and destruction. While encrypting laptops is recommended as part of an overall information security strategy, it is equally important to remember the goal of the information security program and protect the information in all locations and forms (i.e. CDs, flash drives, print outs, etc.).
Past Breaches:
NHS:
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
February, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay
Date Reported:3/5/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Telford and Wrekin Primary Care Trust (PCT)
Madeley Health Centre
Victims:
Adolescent patients
Number Affected:
238
Types of Data:
Names, dates of birth, addresses, and clinical treatment details
Breach Description:
A laptop was stolen from a speech therapist at the Madeley Health Centre in Shropshire (UK). According to officials the laptop has been secured, but a flash drive containing personal information belonging to child patients of the clinic is missing.
Reference URL:
Computerworld
BBC News
The Shropshire Star
Report Credit:
The Shropshire Star
Response:
From the online sources cited above:
A laptop containing personal details of more than 200 children has been stolen from a Shropshire medical center.
Telford and Wrekin Primary Care Trust (PCT) confirmed a laptop was stolen from the Madeley Health Centre, while one of its language therapists was running a clinic and had left the laptop in an adjacent room.
It has since been disconnected from the NHS network to ensure no access to data, but a memory stick with 238 patients' details is still missing.
[Evan] Information security professionals need to reduce the risk of exposure to the information, NOT the laptop. The information must be secured wherever it resides.
These records include patient names, date of births, and addresses as well as the details of their speech and language therapy treatment.
Simon Conolly, Telford & Wrekin PCT chief executive said in a statement that the laptop had been fitted with encryption software to comply with the high NHS security standards.
[Evan] This is an excellent decision and practice by NHS, but if copying confidential information to flash drives is allowed without restriction then it doesn't do a whole lot of good in the end. Sounds obvious, but the facts speak for themselves.
"The equipment was also fitted with sophisticated tracking equipment and the police were informed immediately."
The PCT said it informed patients of the breach as soon as the theft was reported, and the trust is undergoing a thorough investigation.
[Evan] In my opinion, another good call by officials. Notifying victims sooner rather than later is good practice (as long as it doesn't hinder the investigation).
Conolly said: "All staff are given strict instructions about all aspects of security on patient records, for example not to leave laptops in cars. It is extremely unfortunate that the equipment has been stolen from the NHS clinic while the therapist was working there. A thorough internal investigation is being carried out and if there are lessons to be learnt from this incident, the PCT will be ensure that security measures are reinforced."
[Evan] How about some additional controls around removable media? Or, if possible prohibit their use altogether with respect to confidential information.
Telford police spokeswoman Denise Wakefield said the theft of the Flybook laptop happened on February 27 at 4.50pm.
Anyone with information about the theft is asked to call police on 08457 444888.
Commentary:
I get tourqued when I read about breaches that affect children. If what is being reported is actually the truth, then the risk to the children in minimized by the fact that there isn't a lot of potential for fraud. I wonder if there was more information on the flash drive though.
Information security is a holistic discipline. We strive to take into account all risks to unauthorized information disclosure, modification and destruction. While encrypting laptops is recommended as part of an overall information security strategy, it is equally important to remember the goal of the information security program and protect the information in all locations and forms (i.e. CDs, flash drives, print outs, etc.).
Past Breaches:
NHS:
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
February, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Medical information found in the road
December, 2007 - Laptop stolen from Royal Bolton Hospital NHS
September, 2007 - Dudley Group of Hospitals NHS hard drives for sale on eBay
Posted by Evan Francen at 3/6/2008 11:10 AM 
Categories: NHS Trust, Stolen Device, Madeley Health Centre, Telford and Wrekin Primary Care Trust
Categories: NHS Trust, Stolen Device, Madeley Health Centre, Telford and Wrekin Primary Care Trust
Posts Atom 1.0
What kind of a person can do this? Stealing somebody`s laptop? The worst part is with that children. But maybe in the hospital there are some registers that hold their information. I hope so.
Reply to this