Lost memory stick had 87 NHS patients' info unencrypted
A medical student who copied the private data of 87 patients onto a memory stick – and then lost it – has landed the University Hospital of South Manchester in trouble with the Information Commissioner's Office (ICO). The ICO ruled today (7 September) that the South Manchester hospital breached the Data Protection Act by letting …
I don't see how this was the hospitals fault, they had a system in place to only allow the use of approved memory sticks. If the student was stupid enough to think that making a copy of that data was OK then I don't want that student to become a doctor.
Yep, not for loosing the data because that blatantly happens all the time.
But for not having the common sense to cover it up like everyone else, shameful behaviour.
that El Reg should really set up a new article category like RoTM and BOFH specifically dealing with cases of inept government droids losing confidential data.
does anybody ever stop to think if the data was actually dangerous?
if it was just a list of appointment times then who cares? although i suppose best to take the line all data is confidential.
...but i remember the days, when i was a kiddie in the 70's, BT used to publish what was known as a "directory" , and in it was everybody who had a phone's Name , Address and phone number!!!
ahhh, the memories , more innocent times eh?
you must be trolling - right ?
Name, address and phone number - as you say pretty much in the public domain. But start adding more *personal* details, and you can set someone up for a good bit of social engineering/phishing trip.
<ring ring>
Hello ?
<caller>Is that Mr Smith, the bank manager ?
Yes ?
<caller>I'm calling from MadeUpShire primary health care trust patient satisfaction action team
Yes ?
<caller>Can I confirm the first line of your address, for security
27 Acacia Avenue
<caller>Thank you. You recently had an MRI scan, can I ask how you found the experience ...
and so on till they have enough information to do some damage. OK, I picked a high-earner as a target. Could just have easily been an 18 year old single female.
As HM.Gov managed to use a bit of a nutter and then sexist taunting to mask the NHS carve-up we can only expect more of this to happen. Less medical staff and more contractors with less checks on security.
As contracts come and go where will the data be held and who will be holding it?
It's O.K., the 'cloud' will provide.
"Auditing work after his placement ended"
WTF does this even mean?
Do hospitals *ever* learn?
Do doctors?
My job involves a lot of work with the NHS. For all their ICO bollox, they rarely train or provide any encryption software.
We've largely given up the battle of trying to persuade some of our clients to stop sending us unencrypted patient data via email...
Medical students have to produce continuous case reports and audits of patients to get their degrees but they will often submit these after they have finished a placement and possibly moved to another hospital which could quite literally be 100 miles from the last one depending on your medical school. Hence data gets copied.
Students are told that data must be anonymous which is fine if you don't need to compare results say before and after an operation in which case you need at least the patients name and DOB in your records. That may be fine when you're in hospital and can use the NHS encrypted sticks but what happens when you leave your patients or need to work on things at home (you do because absolutely zero time at work is given for things like audits which A are good for hospitals and improving outcomes and B are essential to get you a job since points based scoring was introduced).
Do the university provide encrypted data sticks for home use/advise on encrypting your laptop? I thought not in which case student/trainee is in a catch 22. Don't do it and you don't get a job or degree or do it and risk data loss which you are told not to do.
The data in this case was probably names, DOB and outcomes of operations. Probably not sensitive data in the case of hand operations but there are certainly a lot of diseases and problems where this would be embarrassing to any patients where their details were released.
AC as close family member is a doctor.
"in the case of hand operations"
Glad you didn't put "hand jobs"
Anonymised does not mean randomised. There are plenty of tools and techniques out there to allow live patient/customer databases to be anonymised without ruining the continuity of things like patient records. These should routinely be used whenever data is extracted for research use - this is why the hospital is at fault. They should not put students in a position whereby they can make such cock-ups.
Sad, really. This isn't difficult, yet NHS IT cannot even get these basic things right. Remind me who it is all outsourced to, again?
GJC
This is almost certainly not a research paper but a Uni assignment and sadly a med student doesn't get access to software to make the sort of databases you describe as the typical hospital computers they will have access to are the ones used by the doctors to type up letters and check on scan results.
Pseudonymisation. The NHS has spent a helluva lotta cash and person-hours (sorry to be so PC but I'm posting under my real name) trying to ensure that if you do have to use data for research and audit, and totally anonymous data (ie with all personalised detail removed) won't do, it's passed through a preudonymisation process to generate a unique ID that can specify an individual without identifying them.
A bit like sesion cookies. Same UID, different date of contact - we now have pre- and post-op comparisons. The muppet (rethinking posting under my own name) med student only needed this, instead of name and dob, and age at operation instead of dob.
Our experience is that doctors don't give a rat's arse for information governance (really unsure about posting under my own name) or Caldecott principles or anything else that they need to comply with because they think they are this big (holds arms wide) and that the NHS is this big (holds thumb and forefinger an infinitessimal distance apart) whereas the truth is the other way around. (Nope, Deffo 'anonymous coward' for me - I have to work with these types)
here at my department of the NHS , all laptops are encrypted and no staff have access to the usb port or cd drive. all network ports are locked to their machines mac address. All emails are scanned .
Theyd have to go to quite some effort to make that mistake here.
I feel your pain! The worst thing is though when dealing with the IT depts of the hospitals, trusts etc they are no better either *sigh*
You can only go so far telling people. It looks like the Trust did the right thing by giving the student a encrypted stick, but then needed/wanted it back when said student left the employee of that Trust, which is fair enough.
The issue is that we have doctors & med students etc milling around the NHS and being employed by different Trusts.
What the outside world does not realise is that the NHS is not like Tesco, with a head office and branches. Each trust is a separate "company", and that when someone moves between trusts, it is like moving from Tesco's to Asda.
The only way to prevent this is for either the NHS centrally, the Universities to take on some of the data protection responsibility, or for the individuals involved.
I don't see in this case how it's the Trust's fault. They could have told this guy a thousand times and he still would have "stole" the data.
Unless they provide encrypted data sticks that the medical staff can take and use at home then they're failing. Doctors are required (some times as part of their training but usually by virtue of not getting their next job in 2 years time otherwise) to do audits and write up presentations.
When its med students it really should be the Unis that are taking the responsibility for making sure they give their students a way to safely move data about but good luck getting them to recognise the issue.
On Medical Students
We have tried telling them, we have tried not-quite-patronising interactive training with a shiny certificate at the end of it, we have cajoled, coaxed, threatened and beseeched them not to remove unencrypted patient data from NHS premises.
We have warned them of the possible consequences of failure as this is not just another Trust Policy but the law of the land!
All to no avail.
Medical students tend to regard absolute rules and laws as, at best, guidelines, applicable to the common herd of course, but not to them personally.
If Healthcare Trusts are to be fined for the idiocy of students, then same Trust should have the right to Beat Them With a Stout Stick.
It will give the F1's on A&E rotation something to practice on. (And possibly learn a valuable lesson?)
Yes, yes, I'm taking my medication now............
'nuf said
Student is 100% to blame on this occasion.
In spite of repeated, high profile cases of lost unencrypted disks and memory sticks, this individual thinks it is OK to make an unencrypted copy, on their personal media, without permission.
I don't want such an irresponsible fool working at a medical facility anywhere near me, family, friends or even total strangers.
He'd have been insensitive as well.
Sign up, sign up for The Register's weekly IT security newsletter - click here
