Lost memory stick contained confidential patient records

Filed Under: Data loss

With apologies to Andrew Lloyd-Webber and T S Eliot:

# Memory sticks
All alone in the dustbin
I can smile at the old days
I was more careful then
I remember the time I knew what security was
Let the memory live again #

Yep, it's another day, another data loss story.

According to a report in a British tabloid newspaper, the sensitive records of 200 patients suffering from psychological disorders have been found on a portable USB thumb drive found in the road.

The data, which originated from Richardson Hospital in County Durham, details not only the patients' names, dates of birth, addresses and National Insurance numbers, but also contains highly confidential notes detailing their history of drug addiction, self-harm, sexual abuse and suicide attempts.

A member of the public is said to have found the memory stick in the street. Tees, Esk and Wear Valleys NHS Trust admitted that there had been a serious breach of security, and blamed a computer technician for taking records out of the hospital.

This is just the latest in a long line of incidents involving organisations who have proven to be careless with the sensitive data entrusted to them. If the data had fallen into the hands of an identity thief, rather than a law-abiding citizen, then they would have had a field day with the information contained on the drive.

Some of the mental health patients affected by this data breach have told local newspapers how disturbed they are about the lax security.

I hate to sound like a broken record, but there wouldn't be such a hoohah about incidents like this if more organisations took the step of ensuring that all sensitive data copied onto portable media like USB drives was properly encrypted. Every member of staff inside your company needs to understand the importance of taking proper care of data, and not acting irresponsibly.

* Image source: Nedko’s Flickr photostream (Creative Commons 2.0)

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.