London Health Trust Warned After Data Breach

Following a data leak incident, the Information Commissioner’s Office (ICO) in the UK has ordered (PDF) Camden Primary Care Trust (PCT) to ensure patient data safety when disposing of old computer equipment. The trust risks being held in contempt of court, if it does not update the Office on the progress made until March 31.

In August 2008, after several computers were decommissioned, they were left next to a skip on the grounds of St. Pancras Hospital. The computers, which subsequently disappeared and were never recovered, contained information on 2,500 patients, including their names, addresses and even diagnoses. The data was not encrypted.

"The ICO takes all data breaches seriously. Individuals must feel confident that their personal health records will be handled properly by NHS bodies. Over 2,500 individuals may have suffered anxiety as a result of this breach with the worry that their medical records could fall into the wrong hands. This incident highlights organisational error and will, no doubt, damage public trust in the NHS locally," Mick Gorrill, assistant information commissioner at the Information Commissioner’s Office, notes.

Some of the recommendations made by the ICO's Serious Untoward Incident Panel regarding this case include implementing a communication campaign to inform the staff of the proper disposal practices, to encrypt data on all USB sticks, laptop and desktop computers, and to keep robust assets and decommissioning registers for IT equipment.

"Failure to meet the terms of the Enforcement Notice would be contempt of court and may lead to prosecution," is pinpointed in an ICO press release (PDF). "The Information Commissioner’s Office has ordered a number of organisations to sign Undertakings following breaches of the Data Protection Act. Organisations include the Department of Health, NHS Trusts, Home Office, Foreign and Commonwealth Office and Orange Personal Communications Services Ltd.," is also mentioned.

Rob Larkman, chief executive officer of Camden PCT, has defended the trust and has pointed out that this incident has been isolated and does not reflect the normal procedures. "NHS Camden sets itself incredibly high standards when it comes to patient confidentiality and data protection. Unfortunately, on this occasion, we fell below our high standards by inadequately disposing of a number of obsolete computers," he has told the Health Service Journal.

According to Mr. Larkman, the trust has complied with ICO's recommendations. "As a result of the incident, we implemented a root and branch review of our procedures and training on data protection and computer disposal, which are being introduced to every member of staff at the PCT," he informs.

This is not the first time that a care trust loses patient records. In January, we reported that a worker from the Central Lancashire Primary Care Trust had lost a USB stick containing medical information on 6,360 prisoners incarcerated at Her Majesty’s Prison Preston. The data was encrypted, but, ironically, the stick had a note with the password attached.