Castlecroft Medical Practice patient information at risk
Technorati Tag: Security Breach
Date Reported:
6/18/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice
Victims:
Patients
Number Affected:
~11,000
Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"
Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."
Reference URL:
The Express & Star
Report Credit:
The Press Association
Response:
From the online sources cited above:
A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations. What is the excuse? Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?
Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines? Are there penalties or sanctions for non-compliance?
The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.
The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.
The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.
The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.
Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument. In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer. This holds especially true in instances where the password protection is controlled by the operating system. See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".
He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.
Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.
He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.
National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".
Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.
The eleven breaches are only what has been reported on The Breach Blog, there may be more.
Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Date Reported:6/18/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice
Victims:
Patients
Number Affected:
~11,000
Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"
Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."
Reference URL:
The Express & Star
Report Credit:
The Press Association
Response:
From the online sources cited above:
A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations. What is the excuse? Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?
Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines? Are there penalties or sanctions for non-compliance?
The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.
The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.
The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.
The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.
Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument. In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer. This holds especially true in instances where the password protection is controlled by the operating system. See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".
He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.
Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.
He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.
National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".
Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.
The eleven breaches are only what has been reported on The Breach Blog, there may be more.
Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Posted by Evan Francen at 6/19/2008 11:45 AM 
Categories: NHS Trust, Stolen Laptop, Wolverhampton City PCT, Castlecroft Medical Practice
Categories: NHS Trust, Stolen Laptop, Wolverhampton City PCT, Castlecroft Medical Practice
Posts Atom 1.0
An excellent and timely article: It's amazing that breaches and thefts keep happening. It's also interesting that reactive measures don't concentrate on the obvious solution – a proactive treatment and training of people, and their corresponding security awareness. There is a defined eCulture called "The Business-Technology Weave" that helps to influence employee behaviour as regards security, use and integrity of data, as well as protection of hard assets (such as laptops). This is particularly relevant: http://www.businessforum.com/DScott_02.html . Some good stuff here too: www.david-scott.net . The real solution involves the most critical security link: People. Training, refreshers, and modernization of that training, policies, and procedures.
Reply to this