Transparent response to lost Central Lancashire PCT flash drive
Technorati Tag: Security Breach
Date Reported:
1/9/09
Organization:
NHS Trust
Contractor/Consultant/Branch:
Central Lancashire Primary Care Trust ("PCT")
Location:
Preston, Lancashire UK
Victims:
Patients who were or are prisoners at Her Majesty's Prison Preston
Number Affected:
"a maximum of 6,360"
Types of Data:
"prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times, and review dates" "In some cases there was reference to clinics attended, medical condition and treatment offered"
Breach Description:
"NHS Central Lancashire can confirm that a breach of information security has taken place." "The incident happened on 30 December 2008 at Her Majesty's Prison Preston. It relates to a missing USB data stick that was routinely used to back-up the clinical administrative databases."
Reference URL:
Central Lancashire PCT Press Release
Chorley Guardian
PC PRO
Report Credit:
Central Lancashire PCT, with a special thanks to an informed Breach Blog reader
Response:
From the online sources cited above:
NHS Central Lancashire can confirm that a breach of information security has taken place.
[Evan] From the very beginning, it seems as though Central Lancashire PCT is trying desperately to do the right thing. Their response is transparent, forthcoming and genuine. This is probably one of the best public responses to a breach that I can remember. Other organizations could stand to learn a lot here.
We are taking this very seriously, and we would like to apologise unreservedly for any concern this incident has caused. It should never have happened.
[Evan] What's this? An unreserved apology? I have to admit that I don't read that everyday.
A thorough investigation is already underway, and urgent action has been taken to prevent it happening again.
The incident happened on 30 December 2008 at Her Majesty's Prison Preston.
It relates to a missing USB data stick that was routinely used to back-up the clinical administrative databases.
[Evan] Ugh. It is not typically a good idea to backup a clinical administrative database with a USB data stick. Routinely is worse, and implies that this was a standard operating procedure.
Data relating to a maximum of 6,360 patients was held on the device, although in some cases individual patients had more than one entry.
All patients are, or have been, a prisoner at HMP Preston.
The USB data stick was encrypted, but the password had been attached to the device.
[Evan] Oops. The password is the secret key that allows for the decryption of the encrypted information. If you intend to use symmetric-key (aka secret-key, single-key, private-key) encryption, protection of the key (often a password) is paramount. Encrypting information and handing over the decryption key is a waste of time. No sense in encrypting in the first place. The encryption algorithms used for the encryption of flash drives, laptops and other mobile media is symmetric-key. Just can't get away from passwords, eh?!
The information lost included prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times, and review dates.
In some cases there was reference to clinics attended, medical condition and treatment offered.
Conditions included asthma, diabetes, and mental health, as well as a very small number of sexual health references.
The USB data stick did not contain any other information such as first names, dates of birth, NHS numbers, or home contact details. Neither was there any financial information.
A thorough search by PCT staff, as well as HMP Preston's dedicated search team, has been undertaken. To date, the USB data stick remains missing.
Even though there is no risk to any patients' ongoing treatment or care, the PCT will be using a number of approaches to contact those affected to inform them of the breach and apologise.
A dedicated information phone line has been set up for anyone affected who may have concerns.
Anyone with concerns should contact the PCT's confidential information line on: 0. It is open 9am-5pm seven days a week until 23 January 2009. It will operational from 3pm today (9 January 2009).
NHS Central Lancashire and the Prison Service are working closely together to investigate the incident. This will consider the PCT's systems in order that improvements can be made, and the recommendations will be made public.
[Evan] Recommendations will be made public?! What a refreshing change.
The PCT staff involved have been suspended while the investigation is carried out.
NHS North West, the Department of Health, the Home Office, the Information Commissioner and the Healthcare Commission have all been informed.
NHS Central Lancashire chief executive Joe Rafferty said: "We are deeply sorry - this never should have happened. We have launched a full and thorough investigation and we are taking all necessary steps to ensure it cannot happen again.
[Evan] Even the chief executive speaks out.
"The data relates to patients who have accessed HMP Preston's health clinic since the year 2000, and is a back-up of data stored on the clinic computer. Even though there is no risk to anyone's ongoing treatment or care, we have plans in place to contact those affected to inform them of the breach and apologise."
Notes to editors
We have in place a number of policies, procedures and codes of conduct relating to information governance, which includes security and confidentiality of patient and personal information.
All employees working in the NHS are bound by a duty of care to protect the personal information they may come into contact with during the course of their work.
[Evan] Yes, "All employees"! Don't forget contractors, consultants and other third-parties too. Anyone with potential access to information resources has a "duty of care".
In October the PCT undertook a data protection audit.
A questionnaire was sent to all 3,000 staff via payslips.
The results are being urgently analysed and will be used to develop future training.
The PCT also regularly reminds staff of their responsibilities as regards information governance and statutory responsibilities.
This has recently been via a leaflet attached to payslips, the staff newsletter and team meetings.
Patient confidentiality is a core part of the PCT's induction programme, and training in information governance is mandatory.
[Evan] Some people have argued with me in the past, but I am a big believer that mandatory information security training and awareness pays off huge!
To make sure it cannot happen again, the PCT is:
Undertaking an urgent review of the information governance custom and practice within prison healthcare across the NHS Central Lancashire area.
Developing a prison healthcare IT system which will connect to the secure NHS server.
[Evan] This will not only make the information transfer and storage more secure, but it will also make the process more efficient (if done correctly).
This will be implemented as soon as possible, and will negate the need to use a stand alone computer which requires information to be backed up.
Urgently recalling all USB data sticks across the PCT to re-issue encrypted devices on a needs basis with clear guidance for their use.
[Evan] Yeah, clear guidance like password management training.
Reviewing the adherence of staff to policies and procedures relating to information governance.
Formally reminding all staff about their responsibilities in relation to information governance, and in particular the use of USB data sticks.
Commentary:
Again, this is an excellent public response in my opinion. There is no denial. Central Lancashire PCT admits that an incident took place, admits that they have a problem, publicly assumes responsibility for the problem, and vows to take appropriate steps in an attempt to minimize risk of re-occurrence. I get no sense of them trying to hide anything from the public, and I get a geniune sense that they are committed to doing the right thing.
Overall, I have quite a bit of confidence in Central Lancashire PCT and NHS in general. This is a good example of taking a breach and turning it into something that is strategically positive.
Past Breaches:
NHS Trust:
Plenty, see NHS Trust breaches for just some.
Date Reported:1/9/09
Organization:
NHS Trust
Contractor/Consultant/Branch:
Central Lancashire Primary Care Trust ("PCT")
Location:
Preston, Lancashire UK
Victims:
Patients who were or are prisoners at Her Majesty's Prison Preston
Number Affected:
"a maximum of 6,360"
Types of Data:
"prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times, and review dates" "In some cases there was reference to clinics attended, medical condition and treatment offered"
Breach Description:
"NHS Central Lancashire can confirm that a breach of information security has taken place." "The incident happened on 30 December 2008 at Her Majesty's Prison Preston. It relates to a missing USB data stick that was routinely used to back-up the clinical administrative databases."
Reference URL:
Central Lancashire PCT Press Release
Chorley Guardian
PC PRO
Report Credit:
Central Lancashire PCT, with a special thanks to an informed Breach Blog reader
Response:
From the online sources cited above:
NHS Central Lancashire can confirm that a breach of information security has taken place.
[Evan] From the very beginning, it seems as though Central Lancashire PCT is trying desperately to do the right thing. Their response is transparent, forthcoming and genuine. This is probably one of the best public responses to a breach that I can remember. Other organizations could stand to learn a lot here.
We are taking this very seriously, and we would like to apologise unreservedly for any concern this incident has caused. It should never have happened.
[Evan] What's this? An unreserved apology? I have to admit that I don't read that everyday.
A thorough investigation is already underway, and urgent action has been taken to prevent it happening again.
The incident happened on 30 December 2008 at Her Majesty's Prison Preston.
It relates to a missing USB data stick that was routinely used to back-up the clinical administrative databases.
[Evan] Ugh. It is not typically a good idea to backup a clinical administrative database with a USB data stick. Routinely is worse, and implies that this was a standard operating procedure.
Data relating to a maximum of 6,360 patients was held on the device, although in some cases individual patients had more than one entry.
All patients are, or have been, a prisoner at HMP Preston.
The USB data stick was encrypted, but the password had been attached to the device.
[Evan] Oops. The password is the secret key that allows for the decryption of the encrypted information. If you intend to use symmetric-key (aka secret-key, single-key, private-key) encryption, protection of the key (often a password) is paramount. Encrypting information and handing over the decryption key is a waste of time. No sense in encrypting in the first place. The encryption algorithms used for the encryption of flash drives, laptops and other mobile media is symmetric-key. Just can't get away from passwords, eh?!
The information lost included prisoner surnames, their broad age range, prison number, cell location, prison clinic appointment times, and review dates.
In some cases there was reference to clinics attended, medical condition and treatment offered.
Conditions included asthma, diabetes, and mental health, as well as a very small number of sexual health references.
The USB data stick did not contain any other information such as first names, dates of birth, NHS numbers, or home contact details. Neither was there any financial information.
A thorough search by PCT staff, as well as HMP Preston's dedicated search team, has been undertaken. To date, the USB data stick remains missing.
Even though there is no risk to any patients' ongoing treatment or care, the PCT will be using a number of approaches to contact those affected to inform them of the breach and apologise.
A dedicated information phone line has been set up for anyone affected who may have concerns.
Anyone with concerns should contact the PCT's confidential information line on: 0. It is open 9am-5pm seven days a week until 23 January 2009. It will operational from 3pm today (9 January 2009).
NHS Central Lancashire and the Prison Service are working closely together to investigate the incident. This will consider the PCT's systems in order that improvements can be made, and the recommendations will be made public.
[Evan] Recommendations will be made public?! What a refreshing change.
The PCT staff involved have been suspended while the investigation is carried out.
NHS North West, the Department of Health, the Home Office, the Information Commissioner and the Healthcare Commission have all been informed.
NHS Central Lancashire chief executive Joe Rafferty said: "We are deeply sorry - this never should have happened. We have launched a full and thorough investigation and we are taking all necessary steps to ensure it cannot happen again.
[Evan] Even the chief executive speaks out.
"The data relates to patients who have accessed HMP Preston's health clinic since the year 2000, and is a back-up of data stored on the clinic computer. Even though there is no risk to anyone's ongoing treatment or care, we have plans in place to contact those affected to inform them of the breach and apologise."
Notes to editors
We have in place a number of policies, procedures and codes of conduct relating to information governance, which includes security and confidentiality of patient and personal information.
All employees working in the NHS are bound by a duty of care to protect the personal information they may come into contact with during the course of their work.
[Evan] Yes, "All employees"! Don't forget contractors, consultants and other third-parties too. Anyone with potential access to information resources has a "duty of care".
In October the PCT undertook a data protection audit.
A questionnaire was sent to all 3,000 staff via payslips.
The results are being urgently analysed and will be used to develop future training.
The PCT also regularly reminds staff of their responsibilities as regards information governance and statutory responsibilities.
This has recently been via a leaflet attached to payslips, the staff newsletter and team meetings.
Patient confidentiality is a core part of the PCT's induction programme, and training in information governance is mandatory.
[Evan] Some people have argued with me in the past, but I am a big believer that mandatory information security training and awareness pays off huge!
To make sure it cannot happen again, the PCT is:
Undertaking an urgent review of the information governance custom and practice within prison healthcare across the NHS Central Lancashire area.
Developing a prison healthcare IT system which will connect to the secure NHS server.
[Evan] This will not only make the information transfer and storage more secure, but it will also make the process more efficient (if done correctly).
This will be implemented as soon as possible, and will negate the need to use a stand alone computer which requires information to be backed up.
Urgently recalling all USB data sticks across the PCT to re-issue encrypted devices on a needs basis with clear guidance for their use.
[Evan] Yeah, clear guidance like password management training.
Reviewing the adherence of staff to policies and procedures relating to information governance.
Formally reminding all staff about their responsibilities in relation to information governance, and in particular the use of USB data sticks.
Commentary:
Again, this is an excellent public response in my opinion. There is no denial. Central Lancashire PCT admits that an incident took place, admits that they have a problem, publicly assumes responsibility for the problem, and vows to take appropriate steps in an attempt to minimize risk of re-occurrence. I get no sense of them trying to hide anything from the public, and I get a geniune sense that they are committed to doing the right thing.
Overall, I have quite a bit of confidence in Central Lancashire PCT and NHS in general. This is a good example of taking a breach and turning it into something that is strategically positive.
Past Breaches:
NHS Trust:
Plenty, see NHS Trust breaches for just some.
Posted by Evan Francen at 1/13/2009 1:27 PM 
Categories: NHS Trust, Lost Device, Central Lancashire PCT
Categories: NHS Trust, Lost Device, Central Lancashire PCT
Posts Atom 1.0
Comments