14 DAY TRIAL // A USB stick containing medical information on 6,360 prisoners incarcerated at Her Majesty’s Prison Preston has been lost by a worker from the Central Lancashire Primary Care Trust.
Trust representatives explained that the memory stick was used to backup the database of the prison's clinic. “We are taking this very seriously, and we would like to apologize unreservedly for any concern this incident has caused,” a spokesperson said.
The information that was compromised included the prisoners' names, age range, prison, and cell number, along with details about serious ailments, as well as mental and sexual health status, dating back to 2000. In addition, the dates of their clinic appointments and scheduled reviews were also contained on the stick.
The memory stick was encrypted, which is rarely the case with data leak incidents that involve such lost storage devices. However, ironically enough, a note containing the password was attached to it. “In this case, the security of the device appears to have been utterly ham-fisted – with the benefit of encryption completely undone by the lax attitude to keeping the password secret,” Graham Cluley, senior technology consultant for Sophos notes.
“When people are sent to prison, we expect them to be put under lock-and-key, with no chance of accidental release. It’s a shame we can’t seem to expect the same level of security when it comes to their personal information,” Mr. Cluley concludes.
The Trust is in process of contacting the prisoners in order to inform them about the risks they have been exposed to. Furthermore, all the memory sticks carried by the staff in the area have been called back and a review of the security practices is pending.
This is not the first time when prisoner information is being lost in the UK. In August 2008, PA Consulting, a firm contracted by the government, misplaced a memory stick containing the unencrypted personal details of 84,000 prisoners, including some of the most dangerous criminals. In addition, prison staff across UK were also exposed to similar risks when another company, contracted by the British Ministry of Justice, lost a portable hard-disk drive.
Other major data leak incidents, for which the UK government is directly or indirectly responsible, involved the loss of records on 25 million consumers by the HMRC, the British department responsible for tax collecting, or the theft of a hard drive containing the personal details of 50,000 retired and active military personnel from the offices of Service Personnel and Veterans Agency.