News
Stockport and Oldham PCTs lose patient data on USB memory sticks
28 January 2008
Stockport Primary Care Trust has reported that in December last year
a member of staff lost a USB memory stick containing data extracted from
the medical records of 4000 patients.
The Trust says the data was being used to identify patients suitable
for a new long-term conditions service. The data was being transported
to a GP practice so that the GPs could verify the information and that
all the patients were suitable for the new service. The data was being
carried personally to avoid being sent by email because the "security of
the information had been considered".
It says the loss was reported centrally at the time and again for the NHS-wide
audit of data losses, though patients have not been individually
informed. Computer Weekly reported that the data only came to light
publicly because of a freedom of information request.
The Trust says the data was lost by the member of staff "between
parking the car and arriving at her desk" and consisted of: NHS number,
Stockport PCT identification number, first and second name, date of
birth, sex, condition related to the new service (chronic obstructive
pulmonary disease, asthma, heart failure, coronary heart disease,
diabetes or epilepsy), GP code, practice code and GP name.
Silicon.com reported that the USB memory stick had been dropped on a
road on a rainy day and that Chief Executive Richard Popplewell had said: "It is
extremely likely that the data was lost in circumstances in which it
would be unrecoverable. We did not notify the patients affected because
the data lost would not be of assistance to ID fraudsters."
In the press release issued by the Trust, Richard Popplewell says, "I want to assure
patients that I believe there is no possibility of any identity theft as
a result of this loss, and let you know that steps have been taken to
ensure this never happens again."
Oldham PCT has also reported that it lost data relating to 148 people
that was stored on a memory stick. The data lost related to assessments
of future healthcare needs for a continuing care service and included
names, addresses and dates of birth. The PCT has contacted all the patients involved and informed the
Department of Health, NHS North West and the police.
Information Commissioner Richard Thomas said last November to a House
of Lords enquiry into data collection and surveillance that doctors
should be fined £5000 for "flouting data collection principles" or face
an unlimited fine in a Crown Court. In the case with Stockport PCT, it
appears that it was not a GP but a member of staff of the PCT that was
carrying the personal identifiable data extracted from medical records.
Speaking at the annual Steele Raymond lecture at Bournemouth
University, also last November, the Information Commissioner,
commenting on the NHS Spine said: "The rationale is clear and the
benefits are very substantial. But equally the risks are great and I
have been urging upon the National Health Service the need in particular
to adopt the very highest levels of security. One can imagine very
easily some of the problems which would occur if personal health records
come into wider circulation."
See also:
Opinion: Public data loss
Opionion: Ban USB memory sticks in the NHS
USB devices — a prescription for disaster
Parliamentary committee calls for
increased powers for Information Commissioner
GMC guidelines on patient's rights to confidentiality
www.gmc-uk.org/guidance/current/library/confidentiality.asp#1
Taking Information Rights Seriously. Richard Thomas' lecture for The
Steele Raymond Lecture:
www.ico.gov.uk/about_us/news_and_views/events.aspx?achive=true
|