RAH! RAH! RAH! RAH! SISS BOOM BAH!
A pause, for a moment, for the braying to subside. Judging by Reg responses England is clearly so chock full and bursting at the seams with infallible IT workers that it is simply amazing that anything goes wrong anywhere at all.
The error in judgment here was simply that someone equated the security of paper records in a filing cabinet with (possibly the same) records on a notebook and stored them accordingly. They neglected the status of portable electronics as highly desirable, easily convertible, targets of theft and that was wrong. In the mental arithmetic of Risk, they indirectly ramped "Likelihood" up a handful of notches without mitigation. Fix it. Move on
Now unless those records were part of a trial of a lucrative patentable treatment, it is unlikely that they were the target of the theft. Similarly it is unlikely that the thieves will take the additional personal risk to try and use the information for personal gain. The gain will be small, and the risk will be high - especially considering the vast number of relatively low (or zero) risk ways to acquire volumes of personal information. Identity theft is fueled by the rapid conversion of the billowing cloud of information we trail behind us - electronically or on paper - into profit. Blagging a hospital is poisonous to the process and, lets face it, completely unnecessary. The only thing that data will do is tie an otherwise convertible asset to criminal act. Its probable lifetime? Slightly shorter than the serial number on the bottom of the case.
Every day we ask those who provide services to us - doctors, hospitals, government agencies - to be more flexible and respond more rapidly to our changing needs and, more often than not, to do it for less money.
Rigid security systems - the kind we come to expect for national security and high value commercial information - are not designed for the sort of situation where personal data must be simultaneously secure, and at the fingertips of the part-time worker at the admissions counter, and in the hands of the person auditing the health program, and in the hands of the clinician. These requirements demand a properly risk managed but pragmatic approach and with pragmatism (sprinkled liberally with inadequate resourcing) comes the opportunity for errors in judgment. Standardised and reviewed processes help minimise these errors but process always follows need and need moves like a scared rabbit. Errors will occur. Fix them. Move on.
Interestingly, for all the infallible experts here, the concepts of risk management and pragmatism seem pretty thin on the ground. I am sure there are quite a few here who could explain how <INSERT FOOTBALL TEAM HERE> is being mismanaged. <INSERT MANAGER NAME HERE> needs to be given the boot!
I wholeheartedly agree.