Sandown Health Centre backup tape is missing
Technorati Tag: Security Breach
Date Reported:
5/19/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Isle of Wight NHS Primary Care Trust
Sandown Health Centre
City Link (the courier)
Victims:
Patients
Number Affected:
38,650
Types of Data:
Medical records
Breach Description:
"The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing."
Reference URL:
Isle of Wight NHS Primary Care Trust News
BBC News
eHealth Insider
Report Credit:
The Press Association
Response:
From the online sources cited above:
The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing.
The tape was sent in March to a London-based specialist GP software company who are responsible for maintaining their clinical software.
They carry out checks on computer back-up tapes to make sure they could be used effectively to restore information to the practice computer system in the event of a system failure or other emergency such as a fire.
Unfortunately, the tape has not been received back at the Health Centre, having been despatched by the company through a courier service in March.
Sent on 11 March, it took two months before the tape’s disappearance was discovered by INPS and the PCT.
[Evan] The amount of time that it took to notice that the tape was missing is cause for concern.
The tape was meant to be tracked at every stage by City Link to ensure it reached its destination - the courier firm admitted this had not happened and it is now investigating the loss.
A spokesperson said: "We are naturally very concerned by the loss of our customer’s consignment and a rigorous search for the parcel continues. We are doing everything in our power to resolve the matter and return the package as quickly as possible."
It is presumed that the tape has been lost, possibly permanently, although all possible efforts are being made to try and find it.
The tape contains medical records of 38,650 current and past patients of the Health Centre from July 1996 onwards.
It includes all current patients and large numbers of patients who registered on a temporary basis whilst visiting or working on the Island and patients who have since transferred to practices elsewhere.
It is standard practice for GPs to hold patient details for at least ten years after they are no longer registered with them.
[Evan] Some of the information on the tape dates back 12 years, but that is still in accordance with "at least ten years".
the risk of the tape being misused is extremely small
The tape requires specialist computer equipment to run it and the data is password protected.
In addition, highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape.
[Evan] According to the eHealth Insider story the tape was encrypted. Is the "specialist programme"? If this is the case, and presuming that good password management practices were followed, then I agree with the assessment that the risk of disclosure is probably small.
The PCT is working with the practice to contact as many patients as possible and is in the process of writing to those who are currently still registered with the practice.
a dedicated telephone helpline has been set up and can be contacted on 0 between 8am and 8pm from Monday to Friday
The Interim Chief Executive of the PCT, Margaret Pratt, said: "Although there is very little chance of anyone being able to do anything untoward with this tape, should they find it, it is potentially a very serious loss of confidential information.
"It is important that everyone concerned continues to do everything possible to try and locate the tape and that is happening. It is equally important that we provide reassurance to patients over the level of risk that their personal information could be misused and I am confident that risk is extremely small."
"I should stress that neither the Health Centre nor the NHS more widely on the Island are in any way responsible for this tape going missing. However, we will, of course, be reviewing the procedures used for data verification by practices to see if there are lessons to learn."
Dr Peter Randall, Senior Partner at the Sandown Health Centre, added: "We have another copy of the back-up tape and our main computer records system is not affected by this. So we still have access to all the information we need and patient care is not compromised in any way."
"My own view is also that the risk of any harm resulting is minimal. My own family are registered as patients at this practice which means their details are amongst those on the tape. I have no worries about the information falling into the wrong hands and being used improperly."
The incident comes five months after NHS chief executive David Nicholson wrote to all NHS trust chief executives telling them to review and tighten their information governance and data transfer arrangements.
[Evan] Unfortunately, it took a number of breaches before Mr. Nicholson issued his directive. Better late than never. He should be commended in regards to the directive. My hope is that the NHS follows good information security governance practices and continually strives to improve their information security program(s).
Commentary:
There was no mention (unless I missed it) of encryption in the official Isle of Wight NHS news announcement. The encryption mention comes in the eHealth Insider report. It is also not clear what "medical records" entails exactly.
Past Breaches:
NHS Trust:
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Date Reported:5/19/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Isle of Wight NHS Primary Care Trust
Sandown Health Centre
City Link (the courier)
Victims:
Patients
Number Affected:
38,650
Types of Data:
Medical records
Breach Description:
"The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing."
Reference URL:
Isle of Wight NHS Primary Care Trust News
BBC News
eHealth Insider
Report Credit:
The Press Association
Response:
From the online sources cited above:
The Isle of Wight NHS Primary Care Trust and the Sandown Health Centre are taking action to reassure patients after a computer tape containing their personal details went missing.
The tape was sent in March to a London-based specialist GP software company who are responsible for maintaining their clinical software.
They carry out checks on computer back-up tapes to make sure they could be used effectively to restore information to the practice computer system in the event of a system failure or other emergency such as a fire.
Unfortunately, the tape has not been received back at the Health Centre, having been despatched by the company through a courier service in March.
Sent on 11 March, it took two months before the tape’s disappearance was discovered by INPS and the PCT.
[Evan] The amount of time that it took to notice that the tape was missing is cause for concern.
The tape was meant to be tracked at every stage by City Link to ensure it reached its destination - the courier firm admitted this had not happened and it is now investigating the loss.
A spokesperson said: "We are naturally very concerned by the loss of our customer’s consignment and a rigorous search for the parcel continues. We are doing everything in our power to resolve the matter and return the package as quickly as possible."
It is presumed that the tape has been lost, possibly permanently, although all possible efforts are being made to try and find it.
The tape contains medical records of 38,650 current and past patients of the Health Centre from July 1996 onwards.
It includes all current patients and large numbers of patients who registered on a temporary basis whilst visiting or working on the Island and patients who have since transferred to practices elsewhere.
It is standard practice for GPs to hold patient details for at least ten years after they are no longer registered with them.
[Evan] Some of the information on the tape dates back 12 years, but that is still in accordance with "at least ten years".
the risk of the tape being misused is extremely small
The tape requires specialist computer equipment to run it and the data is password protected.
In addition, highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape.
[Evan] According to the eHealth Insider story the tape was encrypted. Is the "specialist programme"? If this is the case, and presuming that good password management practices were followed, then I agree with the assessment that the risk of disclosure is probably small.
The PCT is working with the practice to contact as many patients as possible and is in the process of writing to those who are currently still registered with the practice.
a dedicated telephone helpline has been set up and can be contacted on 0 between 8am and 8pm from Monday to Friday
The Interim Chief Executive of the PCT, Margaret Pratt, said: "Although there is very little chance of anyone being able to do anything untoward with this tape, should they find it, it is potentially a very serious loss of confidential information.
"It is important that everyone concerned continues to do everything possible to try and locate the tape and that is happening. It is equally important that we provide reassurance to patients over the level of risk that their personal information could be misused and I am confident that risk is extremely small."
"I should stress that neither the Health Centre nor the NHS more widely on the Island are in any way responsible for this tape going missing. However, we will, of course, be reviewing the procedures used for data verification by practices to see if there are lessons to learn."
Dr Peter Randall, Senior Partner at the Sandown Health Centre, added: "We have another copy of the back-up tape and our main computer records system is not affected by this. So we still have access to all the information we need and patient care is not compromised in any way."
"My own view is also that the risk of any harm resulting is minimal. My own family are registered as patients at this practice which means their details are amongst those on the tape. I have no worries about the information falling into the wrong hands and being used improperly."
The incident comes five months after NHS chief executive David Nicholson wrote to all NHS trust chief executives telling them to review and tighten their information governance and data transfer arrangements.
[Evan] Unfortunately, it took a number of breaches before Mr. Nicholson issued his directive. Better late than never. He should be commended in regards to the directive. My hope is that the NHS follows good information security governance practices and continually strives to improve their information security program(s).
Commentary:
There was no mention (unless I missed it) of encryption in the official Isle of Wight NHS news announcement. The encryption mention comes in the eHealth Insider report. It is also not clear what "medical records" entails exactly.
Past Breaches:
NHS Trust:
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Posted by Evan Francen at 5/27/2008 1:06 PM 
Categories: NHS Trust, Lost Tape, Isle of Wight NHS PCT, Sandown Health Centre
Categories: NHS Trust, Lost Tape, Isle of Wight NHS PCT, Sandown Health Centre
Posts Atom 1.0
Comments