We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Poor training blamed for hospital losing unencrypted USB sticks

ICO issues reprimand

The Information Commissioner has blamed a lack of staff training for a London hospital's loss of two unencrypted USB sticks containing patient data.

According to an undertaking published by the ICO, the South London Healthcare NHS trust mislaid two drives, the first containing the personal data of 600 maternity patients, the second medical and personal data of 33 children.

Because both drives were later found, the ICO's concern was that the data was saved to the drives without encryption, a breach of the organisation's data protection principles.

"Due to not having received up-to-date information on governance training the employee was unaware that an encrypted device issued by the data controller should have been used," said the ICO.

In less severe incidents at the same trust, a junior doctor was found to have taken ward lists containing printed medical data on 122 patients out of the hospital while a separate department failed to correctly secure the files of genito-urinary outpatients.

"Without knowing more details we can't speculate on the contents of the trust's policy regarding the use of encrypted memory devices," commented Nick Banks of Imation Mobile Security.

"Organisations have a responsibility to equip their staff with the appropriate technology to ensure proper data protection. Management systems can automatically block the use of non-encrypted memory devices, so the data breach in this case would have been prevented at source."

That the ICO did not put out a formal press release on the USB stick loss is probably down to the drives being found. The likelihood is that they were not accessed during ths time, it said.

This contrasts with the case of East Surrey Hospital, which in September 2010 lost a similarly unencrypted USB stick containing the personal data of 800 patients. That device was not recovered. The institution was 'named and shamed.'

IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia