Stolen patient information from Hampshire Primary Care Trust
Technorati Tag: Security Breach
Date Reported:
9/10/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Hampshire Primary Care Trust
Location:
Winchester, Hampshire (UK)
Victims:
Patients
Number Affected:
"up to 15,396"
Types of Data:
"personal health information"
Breach Description:
"Computer back-up tapes containing personal information on up to 15,396 patients at a surgery have been stolen.
A safe containing the tapes was stolen from the St Paul's Surgery in Winchester, Hampshire, on Saturday."
Reference URL:
BBC News
ComputerWorldUK
Report Credit:
BBC News
Response:
From the online sources cited above:
The data of 15,000 patients has been lost after a thief stole unencrypted computer tapes from a GP surgery.
a safe containing the back-up tapes was stolen from St Paul’s surgery in Winchester at the weekend
The tapes contained personal health information on the patients.
[Evan] Unauthorized exposure of health information can be much more damaging than unauthorized exposure of personally identifiable and/or financial information.
"There are 15,396 patients registered at the surgery and potentially information on all of them could be on the tapes."
Hampshire Primary Care Trust, which manages NHS care in the county, said the tapes were not encrypted but instead had password protection.
[Evan] Password protection?! Puhleez.
It said "specialised computer equipment" was needed to run the tapes, and added: "Anyone trying to read the information would ... need to have very advanced computer skills or access to a special computer programme to make any sense of it."
[Evan] Specialized equipment like a tape drive? A hundred pounds at most? A "special computer programme" like BackupExec? I don't think "very advanced computer skills" are necessary.
The thieves were unlikely to be targeting the information, it said, but instead may have been after drugs, money or prescription pads, which were not in the safe.
The safe had been stored in a locked room and those responsible broke through the rear entrance and the locked office door setting off the alarm
[Evan] I wonder how much time had passed between the time when the theif broke in and the time it was noticed.
Hampshire PCT said it was writing to patients to inform them of the loss, and it has set up a phone line for anyone concerned.
"We would like to reassure patients registered at the surgery that the chances of anyone being able to do anything untoward with the tapes are very small indeed," it said in a statement.
The crime is currently being investigated by Hampshire police.
"The GPs and staff at the surgery are all very shocked and upset by the burglary, as anyone who has experienced something similar will understand."
Commentary:
I agree with the assessment in the news story that the theif was probably after something else when he/she stole the safe containing the backup tapes, but the theif will end up doing something with the tapes nonetheless. The theif may sell the tapes. The theif may try to access the information on the tapes him/herself. The theif may throw them in the garbage, potentially exposing them to someone else who may have the time and skills required to read the information. The fact of the matter is that control of the information has been lost, which in turn increases the risk of exposure of patient information.
Past Breaches:
NHS Trust:
August, 2008 - New and expectant mothers' information in a lost diary
June, 2008 - Castlecroft Medical Practice patient information at risk
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Date Reported:9/10/08
Organization:
NHS Trust
Contractor/Consultant/Branch:
Hampshire Primary Care Trust
Location:
Winchester, Hampshire (UK)
Victims:
Patients
Number Affected:
"up to 15,396"
Types of Data:
"personal health information"
Breach Description:
"Computer back-up tapes containing personal information on up to 15,396 patients at a surgery have been stolen.
A safe containing the tapes was stolen from the St Paul's Surgery in Winchester, Hampshire, on Saturday."
Reference URL:
BBC News
ComputerWorldUK
Report Credit:
BBC News
Response:
From the online sources cited above:
The data of 15,000 patients has been lost after a thief stole unencrypted computer tapes from a GP surgery.
a safe containing the back-up tapes was stolen from St Paul’s surgery in Winchester at the weekend
The tapes contained personal health information on the patients.
[Evan] Unauthorized exposure of health information can be much more damaging than unauthorized exposure of personally identifiable and/or financial information.
"There are 15,396 patients registered at the surgery and potentially information on all of them could be on the tapes."
Hampshire Primary Care Trust, which manages NHS care in the county, said the tapes were not encrypted but instead had password protection.
[Evan] Password protection?! Puhleez.
It said "specialised computer equipment" was needed to run the tapes, and added: "Anyone trying to read the information would ... need to have very advanced computer skills or access to a special computer programme to make any sense of it."
[Evan] Specialized equipment like a tape drive? A hundred pounds at most? A "special computer programme" like BackupExec? I don't think "very advanced computer skills" are necessary.
The thieves were unlikely to be targeting the information, it said, but instead may have been after drugs, money or prescription pads, which were not in the safe.
The safe had been stored in a locked room and those responsible broke through the rear entrance and the locked office door setting off the alarm
[Evan] I wonder how much time had passed between the time when the theif broke in and the time it was noticed.
Hampshire PCT said it was writing to patients to inform them of the loss, and it has set up a phone line for anyone concerned.
"We would like to reassure patients registered at the surgery that the chances of anyone being able to do anything untoward with the tapes are very small indeed," it said in a statement.
The crime is currently being investigated by Hampshire police.
"The GPs and staff at the surgery are all very shocked and upset by the burglary, as anyone who has experienced something similar will understand."
Commentary:
I agree with the assessment in the news story that the theif was probably after something else when he/she stole the safe containing the backup tapes, but the theif will end up doing something with the tapes nonetheless. The theif may sell the tapes. The theif may try to access the information on the tapes him/herself. The theif may throw them in the garbage, potentially exposing them to someone else who may have the time and skills required to read the information. The fact of the matter is that control of the information has been lost, which in turn increases the risk of exposure of patient information.
Past Breaches:
NHS Trust:
August, 2008 - New and expectant mothers' information in a lost diary
June, 2008 - Castlecroft Medical Practice patient information at risk
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay
Posts Atom 1.0
Comments