New and expectant mothers' information in a lost diary
Technorati Tag: Security Breach
Date Reported:
8/13/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Pennine Acute Hospital Trust
Rochdale Infirmary
Victims:
"new and expectant mothers"
Number Affected:
345
Types of Data:
A diary containing information covering antenatal and postnatal appointments, including names, addresses, telephone numbers and notes.
Breach Description:
"A midwife's diary containing personal information on hundreds of new and expectant mothers has been lost from a Health Trust in Greater Manchester."
Reference URL:
4RFV.co.uk
BBC News
Report Credit:
BBC News
Response:
From the online sources cited above:
A hospital trust has apologised to hundreds of new and expectant mothers after a midwife lost a diary containing their names and addresses.
[Evan] This is the first breach that I recall involving a handwritten diary on The Breach Blog. I wanted to include this breach because I want to emphasize that information security as a discipline is holistic. Information security aims to reduce the risk of unauthorized disclosure, modification and destruction of information, no matter what form (electronic, printed, handwritten, spoken, etc.).
The Pennine Acute Trust wrote to 345 women in the Rochdale area of Greater Manchester after a community midwife lost her diary last week.
The hand-written diary covered her antenatal and postnatal appointments between January and July 2008.
A trust spokesman said the diary contained patients' telephone numbers and addresses but no medical information.
[Evan] I wonder if the claim of "no medical information" is really true. I would agree that there is no "medical records" in the sense of official medical files like those kept by most hospitals. I do think that there was more than telephone numbers and addresses though. I presume that there were notes and other miscellaneous information that was not meant for unauthorized consumption.
Eileen Stringer, consultant midwife at Rochdale Infirmary where the community midwife is based, said: "We would like to apologise for any inconvenience or concerns which this has caused.
"We've written to let women know of this issue because they have a right to know that the diary has gone missing."
"There is no need for anyone who has not been contacted by us to take any action whatsoever," she said.
"The letters include details of an information line in case they have any concerns.
"We have assured them that this in no way compromises any of their clinical care - this is a diary, not health records."
The trust spokesman said the women who had contacted the helpline had been very understanding.
Pennine Acute Trust runs five hospitals in north Manchester and is reviewing the use of hand-held diaries by staff.
Commentary:
What interests me the most about this breach was the form in which the information was stored. A diary seems like an innocent enough way to store information, but if the information is not meant to be shared with others, then it needs protection. It doesn't seem like this breach poses a high risk to the affected persons, but it could have been much worse.
Do you include information in all forms in your information security strategy and program? What are some controls that work?
Past Breaches:
NHS Trust:
June, 2008 - Castlecroft Medical Practice patient information at risk
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Date Reported:8/13/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Pennine Acute Hospital Trust
Rochdale Infirmary
Victims:
"new and expectant mothers"
Number Affected:
345
Types of Data:
A diary containing information covering antenatal and postnatal appointments, including names, addresses, telephone numbers and notes.
Breach Description:
"A midwife's diary containing personal information on hundreds of new and expectant mothers has been lost from a Health Trust in Greater Manchester."
Reference URL:
4RFV.co.uk
BBC News
Report Credit:
BBC News
Response:
From the online sources cited above:
A hospital trust has apologised to hundreds of new and expectant mothers after a midwife lost a diary containing their names and addresses.
[Evan] This is the first breach that I recall involving a handwritten diary on The Breach Blog. I wanted to include this breach because I want to emphasize that information security as a discipline is holistic. Information security aims to reduce the risk of unauthorized disclosure, modification and destruction of information, no matter what form (electronic, printed, handwritten, spoken, etc.).
The Pennine Acute Trust wrote to 345 women in the Rochdale area of Greater Manchester after a community midwife lost her diary last week.
The hand-written diary covered her antenatal and postnatal appointments between January and July 2008.
A trust spokesman said the diary contained patients' telephone numbers and addresses but no medical information.
[Evan] I wonder if the claim of "no medical information" is really true. I would agree that there is no "medical records" in the sense of official medical files like those kept by most hospitals. I do think that there was more than telephone numbers and addresses though. I presume that there were notes and other miscellaneous information that was not meant for unauthorized consumption.
Eileen Stringer, consultant midwife at Rochdale Infirmary where the community midwife is based, said: "We would like to apologise for any inconvenience or concerns which this has caused.
"We've written to let women know of this issue because they have a right to know that the diary has gone missing."
"There is no need for anyone who has not been contacted by us to take any action whatsoever," she said.
"The letters include details of an information line in case they have any concerns.
"We have assured them that this in no way compromises any of their clinical care - this is a diary, not health records."
The trust spokesman said the women who had contacted the helpline had been very understanding.
Pennine Acute Trust runs five hospitals in north Manchester and is reviewing the use of hand-held diaries by staff.
Commentary:
What interests me the most about this breach was the form in which the information was stored. A diary seems like an innocent enough way to store information, but if the information is not meant to be shared with others, then it needs protection. It doesn't seem like this breach poses a high risk to the affected persons, but it could have been much worse.
Do you include information in all forms in your information security strategy and program? What are some controls that work?
Past Breaches:
NHS Trust:
June, 2008 - Castlecroft Medical Practice patient information at risk
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Posted by Evan Francen at 8/14/2008 11:00 PM 
Categories: NHS Trust, Pennine Acute Hospital Trust, Lost Media
Categories: NHS Trust, Pennine Acute Hospital Trust, Lost Media
Posts Atom 1.0
Comments