NHS accused of “cavalier attitude” after data security leaks

Information Commissioner's Office
The British National Health Service (NHS) has been accused of losing almost as much personal data in the first three months of this year, as the entire private sector.

With over 140 security breaches by the NHS logged by the Information Commissioner since January, outranking all local and central government data losses combined, it has been confirmed as the public sector’s main loser of personal data.

Richard Thomas, the Information Commissioner, and assistant commissioner Mick Gorrill told the Independent newspaper that NHS workers were demonstrating a “cavalier attitude” and that “there is a complete disconnect between the procedures laid down by managers and what happens on the ground. We need a complete audit to try to change the culture.”

Here are some of the security breaches that rang alarm bells at the Information Commissioner’s Office:

  • A GP downloaded sensitive details of 10,000 patients to an insecure laptop. The laptop was stolen and still remains missing.
  • Old NHS computers containing the medical notes, names and addresses 2,500 people, which were stolen from a skip.
  • A lost memory stick containing medical details of over 6,000 prisoners was encrypted and password-protected, but sadly the password was written on a note attached to the device.

One of the challenges facing the NHS is that it’s the largest employer in Europe (in fact, apart from the Chinese Army and the Indian Railway system it’s probably the biggest in the world), and trying to ensure that all staff treat data securely and sensibly is always going to be a challenge.

That’s why it’s essential that full disk encryption becomes a norm inside organisations that are handling sensitive data, such as patient records. Accidents like lost laptops will continue to happen – but something can be done to ensure that any data lost is gobbledygook that will be useless even if it does fall into the wrong hands.

Alongside encryption, organisations need to centrally monitor compliance with internal policies and external regulations through comprehensive logging and reporting.

Other organisations would be wise not to sit smugly and smirk at the NHS’s misfortune. These are problems that more and more companies are going to be facing sooner rather than later.