NHS data breach
Get flash to fully experience Pearltrees
Lanarkshire NHS has admitted to a catalogue of losses of IT and medical equipment. A Freedom of Information request by the Wishaw Press found that six computers and a hard drive had gone missing from NHS Lanarkshire buildings since 2008. The NHS trust confirmed that the laptops were fully encrypted and an exercise had taken place to remove all information from hard drives and desktop computers to store it on central servers, as they were not encrypted. In addition, the IT systems do not allow users to store anything to the computer's hard drive. NHS Lanarkshire said: “We have robust procedures in place governing the loss of any data or equipment lost or stolen. All incidents must be reported so that a full investigation can take place.”
The "entirely avoidable" error, which saw a spreadsheet containing the equality and diversity responses of 1,373 staff published on the website of Torbay Care Trust, was only spotted when it was reported by a member of the public 19 weeks later, the ICO said. An investigation by the data protection watchdog after the breach, which occurred in April 2011, found that the Trust had no guidance for staff on what information should not be published online and did not have adequate checks in place to identify potential problems. The amount of the penalty reflected the "very serious" nature of the breach, it said in its notice (10-page / 1.3MB PDF).
01 June 2012 An NHS trust in Brighton has been slammed with a £325,000 fine by the Information Commissioner's Office (ICO) after hard drives were sold online containing sensitive data on tens of thousands of patients and staff.
The Information Commissioner is proposing to issue its heaviest ever fine for a breach of UK data protection laws. It proposes fining a health body after patient records were stolen from a hospital and sold on eBay.
Patient details on stolen hard drives
Oracle’s customers in the UK alone include the Department for Work and Pensions, which pays out more than £100bn a year, and HM Revenue and Customs,which collects about £500bn.
Another NHS Trust has misplaced an unencrypted USB stick containing sensitive data.
Information Commissioner’s Office (ICO) publishes details of the loss of children’s personal sensitive informationThe ICO has published details of the action it has taken against three local authorities and an NHS trust following breaches of the Data Protection Act 1998 in relation to children’s medical records. The breaches were primarily caused by a lack of staff training on how to handle personal information and the findings serve as a useful reminder in relation to document storage for colleagues who work with children (as well as adults).
Advanced Search Latest news releases The ICO is committed to raising awareness of data protection and freedom of information rights, and to encouraging good practice. Our archive goes back to 2010. 2013 news releases 2012 archive 2011 archive 2010 archive
In most NHS Trusts , information security is high up the management agenda but low down the budgetary list. This is because the lack of a centralised pot of mandated and ring-fenced funding means that it is competing for money with higher priority issues such as patient care and the National Programme for IT (NPfIT) initiative at the same time that healthcare bodies are trying to balance their books. The situation is also not helped by the autonomous nature of the Trusts themselves.
Following a data leak incident, the Information Commissioner’s Office (ICO) in the UK has ordered (PDF) Camden Primary Care Trust (PCT) to ensure patient data safety when disposing of old computer equipment.
From today, a deliberate or malicious data breach can be punished with a fine of up to £500,000.
08 July 2009 70% of UK organizations hit by a data breach in the past year
Employees with the Torbay Care Trust (TCT) in Devon found details of their sexual orientation and religious beliefs were published online, alongside their name, date of birth, pay scale and National Insurance number. It did not contain any patient or clinical data, the trust said. TCT was handed a £175,000 penalty today, following the investigation by the Information Commissioner's Office (ICO), which described the data breach as "serious" and "extremely troubling". The ICO said the trust published the information in a spreadsheet on its website in April 2011, and only spotted the mistake when it was reported by a member of the public 19 weeks later.
There are a number of tools available to the Information Commissioner’s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include criminal prosecution, non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice on a data controller. The tools are not mutually exclusive. We will use them in combination where justified by the circumstances. The main options are:
NHS challenges £375,000 ICO fine