by Nick Lowe
A report from the Surrey and Sussex Healthcare NHS Trust in the UK has revealed that East Surrey Hospital lost the details of 800 patients in September 2010 but failed to notify any of the affected patients*. The Trust’s 2010/2011 annual report stated that the lost information had been held on an unencrypted memory stick, and included the names, dates of births and operation details of each patient. The report also revealed a further nine “near misses” whereby information was lost but later recovered.
It’s a worrying situation when it is no longer surprising to see an NHS data breach with a lost, unencrypted USB stick at the heart of it. Such devices – which have proven to be consistently vulnerable to loss, theft and poor security practices – must be retired. Technology has moved on, and so should organisations looking to transfer information securely. Only by using modern Secure File Transfer solutions can organisations be sure that their data is protected at all times, and only accessible by the intended recipient.
It’s also hugely disappointing to see that the Surrey and Sussex Healthcare Trust failed to notify the individuals affected by the data breach. The Trust has an obligation to protect the personal information of those in its care properly, however, revelations of the poor data security and failure to notify, indicate that there are some serious flaws in its current approach.
It’s unclear just how many more of these incidents are needed before lessons are learned and changes made, but this data breach, along with the nine “near misses” mentioned in the report, will do little to inspire public faith in the NHS.